MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b463ac9a5e008df75e1692944d7459bfe5df7c004806be2be9352383bd7bf477. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b463ac9a5e008df75e1692944d7459bfe5df7c004806be2be9352383bd7bf477
SHA3-384 hash: cfdfde14cafa26d0ebc27b67861913cf3b647913eb8f571be29faeceeac7f642b2c3016c4cad4e0a7af8bbe60fe8a853
SHA1 hash: 5b5e997d9cb7ec821e3ac0ce7088cb32edc8a070
MD5 hash: 7972f32cc11047ed8f5f6900c76fe69f
humanhash: sierra-monkey-nitrogen-echo
File name:FileZilla Pro 3.69.1 (x64).exe
Download: download sample
File size:23'806'204 bytes
First seen:2025-04-29 13:02:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 262f7b623746b414d0e9c48c1d61145e (2 x CoinMiner, 2 x HijackLoader, 1 x Spambot.Kelihos)
ssdeep 393216:q0Fxb8yuOgU3DUunFHOFTeBtvkRXgoeub6p3a8ToZ9dcrSpwLA5HgNRBykHb3jv:/Fxb8yuOgTFFTPgoDlN9dcswWWHbzv
Threatray 91 similar samples on MalwareBazaar
TLSH T16137F1217A9EC43BE66E05B05A2D9AAF912C6D620B7044C7B3DCBC5B26744C35332F67
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 4a696ddce4f4f261 (26 x Gozi, 9 x AgentTesla, 3 x FFDroider)
Reporter aachum
Tags:exe


Avatar
iamaachum
https://getintoway.com/filezilla-pro/ => https://www.mediafire.com/file/5kbn1me5uwaax8k/FileZilla_Pro_3.69.1_(x86)_(x64).tar/file

Intelligence

File Origin
# of uploads :
1
# of downloads :
434
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FileZilla Pro 3.69.1 (x64).exe
Verdict:
Malicious activity
Analysis date:
2025-04-29 13:13:48 UTC
Tags:
advancedinstaller phishing
Link:
https://app.any.run/tasks/aa77e2b9-c602-4f1b-b891-f0c04f6537f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5004/
Detection(s):
SecuriteInfo.com.Variant.Zusy.588741.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6810d25ccc5fb3600cc487f1
Tags:
dropper virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %temp% directory
Searching for synchronization primitives
Creating a file
Deleting a recently created file
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Launching a process
Modifying a system file
Creating a file in the Windows subdirectories
Moving a recently created file
Replacing files
Enabling autorun with the shell\open\command registry branches
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-vm cmd evasive expand fingerprint installer lolbin microsoft_visual_cc msiexec overlay overlay packed packed packer_detected remote runonce stealer
Link:
https://www.filescan.io/uploads/6810cdd846fe05453ca9ed03/reports/311071a9-84b0-44b7-87de-63f31dd83fb5/overview
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/b463ac9a5e008df75e1692944d7459bfe5df7c004806be2be9352383bd7bf477
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1677330
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Creates files in the recycle bin to hide itself
Creates files in the system32 config directory
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1677330 Sample: FileZilla Pro 3.69.1 (x64).exe Startdate: 29/04/2025 Architecture: WINDOWS Score: 76 122 stats-1.crabdance.com 2->122 124 pki-goog.l.google.com 2->124 126 4 other IPs or domains 2->126 152 Antivirus detection for URL or domain 2->152 154 Multi AV Scanner detection for dropped file 2->154 156 Multi AV Scanner detection for submitted file 2->156 158 8 other signatures 2->158 11 FileZilla Pro 3.69.1 (x64).exe 1 58 2->11         started        14 msiexec.exe 22 37 2->14         started        16 CanReuseTransform.exe 2->16         started        19 8 other processes 2->19 signatures3 process4 file5 98 C:\Users\user\AppData\Local\...\shiF205.tmp, PE32+ 11->98 dropped 100 C:\Users\user\AppData\Local\...\pre31C4.tmp, PE32 11->100 dropped 112 8 other malicious files 11->112 dropped 21 s.exe 46 1007 11->21         started        24 cmd.exe 11->24         started        27 cmd.exe 11->27         started        29 msiexec.exe 11->29         started        102 C:\Windows\Installer\MSI3C46.tmp, PE32 14->102 dropped 104 C:\Windows\Installer\MSI3ABD.tmp, PE32 14->104 dropped 106 C:\Windows\Installer\MSI3935.tmp, PE32 14->106 dropped 114 6 other malicious files 14->114 dropped 31 msiexec.exe 14->31         started        33 msiexec.exe 14->33         started        38 2 other processes 14->38 134 Multi AV Scanner detection for dropped file 16->134 136 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->136 138 Writes to foreign memory regions 16->138 146 3 other signatures 16->146 35 MSBuild.exe 16->35         started        108 C:\Windows\System32\config\...\Value.exe, PE32+ 19->108 dropped 110 C:\Windows\System32\...\CanReuseTransform.exe, PE32+ 19->110 dropped 140 Antivirus detection for dropped file 19->140 142 Creates files in the system32 config directory 19->142 144 Loading BitLocker PowerShell Module 19->144 40 5 other processes 19->40 signatures6 process7 dnsIp8 80 C:\Users\user\AppData\...\nsis_appid.dll, PE32 21->80 dropped 82 C:\Users\user\AppData\Local\...\UserInfo.dll, PE32 21->82 dropped 84 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 21->84 dropped 90 32 other malicious files 21->90 dropped 42 regsvr32.exe 21->42         started        164 Uses cmd line tools excessively to alter registry or file data 24->164 45 conhost.exe 24->45         started        47 attrib.exe 24->47         started        59 3 other processes 24->59 49 conhost.exe 27->49         started        51 attrib.exe 27->51         started        61 3 other processes 27->61 86 C:\Windows\SystemTemp\scr3D47.ps1, Unicode 31->86 dropped 88 C:\Windows\SystemTemp\pss3D59.ps1, Unicode 31->88 dropped 53 powershell.exe 31->53         started        166 Bypasses PowerShell execution policy 33->166 128 loadingfreedlophr.com.de 213.209.150.69, 49695, 49696, 49697 KEMINETAL Germany 35->128 168 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 35->168 57 chrome.exe 35->57         started        file9 signatures10 process11 dnsIp12 170 Creates an undocumented autostart registry key 42->170 130 loadingfreelofhr.net 185.208.156.66, 443, 49691, 49692 SIMPLECARRIERCH Switzerland 53->130 96 C:\Users\user\AppData\...\VC_redist.x64.exe, PE32 53->96 dropped 172 Powershell drops PE file 53->172 63 VC_redist.x64.exe 53->63         started        67 conhost.exe 53->67         started        file13 signatures14 process15 file16 116 C:\Users\user\AppData\Local\Temp\...\info.exe, PE32+ 63->116 dropped 118 C:\Users\user\...\dotNetFx46_Full_setup.exe, PE32+ 63->118 dropped 120 C:\Users\user\AppData\...\VC_redist.x86.exe, PE32+ 63->120 dropped 148 Multi AV Scanner detection for dropped file 63->148 150 Creates files in the recycle bin to hide itself 63->150 69 VC_redist.x86.exe 63->69         started        73 dotNetFx46_Full_setup.exe 63->73         started        75 info.exe 63->75         started        signatures17 process18 dnsIp19 92 C:\Users\user\AppData\Roaming\...\Value.exe, PE32+ 69->92 dropped 160 Multi AV Scanner detection for dropped file 69->160 162 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 69->162 94 C:\Users\user\...\CanReuseTransform.exe, PE32+ 73->94 dropped 132 stats-1.crabdance.com 82.115.223.212, 49693, 80 MIDNET-ASTK-TelecomRU Russian Federation 75->132 78 conhost.exe 75->78         started        file20 signatures21 process22
Score:
82%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b463ac9a5e008df75e1692944d7459bfe5df7c004806be2be9352383bd7bf477
Gathering data
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-04-29 13:02:20 UTC
File Type:
PE (Exe)
Extracted files:
923
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wrr2zgs6acg7oxqwskke25czx7s567aajadl4k7jguryhpl36r3q._file
Verdict:
malicious
Label(s):
hacktool_uac_dll
Create hunting rule
Similar samples:
22a07506913757e97f80ad6b8f1a2a9ec44d18b0e31fdc7adb89e3506c1ffcda
39281bfb93651a5ae270190f2c2b1ee1dee23af5202534b4c346bc052b7b8fc0
39d6c2455cdf6ef9b7b96cbf6172d1a8d3b9d5719b79ff44d47697ec40f7e209
585ab6c1cdaa65c9d08decf4e1ab1cf9327f00e18d13e85e338268ccc3587aab
b463ac9a5e008df75e1692944d7459bfe5df7c004806be2be9352383bd7bf477
e897c978dee5e96b41276425cbaba157b69e37709116a65133a3d5ac59b9312a
error
+ 81 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/250429-p9wpwsyxbt/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates connected drives
Checks installed software on the system
Drops desktop.ini file(s)
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a3822599-6642-4d6b-835f-3c74c2599b0d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b463ac9a5e008df75e1692944d7459bfe5df7c004806be2be9352383bd7bf477

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b463ac9a5e008df75e1692944d7459bfe5df7c004806be2be9352383bd7bf477

(this sample)

Executable exe e4f6682204ce8ca3a7c7d5b26fa08a367dea4f33969013f3b840f8aaf3e3ed34

  
Link
https://tria.ge/250429-p6yp3s1qz6/behavioral1
  
Dropping
SHA256 e4f6682204ce8ca3a7c7d5b26fa08a367dea4f33969013f3b840f8aaf3e3ed34
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/5004/
  
Dropping
MD5 f31717eaaa7df978792a8a9344568fdd

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleScreenBufferInfo
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments