MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb9f0bf2b71bf576053c56cb913ea4e93581fc9d3aa9d6d8a0ae572a1622f050. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AnyDesk


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments

SHA256 hash: fb9f0bf2b71bf576053c56cb913ea4e93581fc9d3aa9d6d8a0ae572a1622f050
SHA3-384 hash: f7e2d1a6c2a33df0d416d82bb840ec44d52cb920189b1416f1473310a84deff3f0dd538f1e9ad1de58dc3fd6f75fee4c
SHA1 hash: b06a03adc550ead96534f5e723395c4e16bfdf44
MD5 hash: 6cf5ad7a7d1b7bab0c62e246cf41a985
humanhash: potato-fish-fix-uniform
File name:1.msi
Download: download sample
Signature AnyDesk
File size:4'063'232 bytes
First seen:2022-08-05 16:20:53 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:pp+vXhd7YjjTcLO6KnQh5YUNa/ckQGQCWijuYAHw:+zkTciIYUNuNCAuPH
Threatray 9 similar samples on MalwareBazaar
TLSH T1411633603AD8C537D2DA0636092E8BAA3A657D755F21C0DB2B587CBC5E317D3AC39342
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter @1ZRR4H
Tags:80-209-241-3 AnyDesk msi

Intelligence


File Origin
# of uploads :
1
# of downloads :
277
Origin country :
CL CL
Mail intelligence
No data
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe expand.exe filecoder finfish fingerprint packed shell32.dll
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679413 Sample: 1.msi Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 79 Antivirus detection for dropped file 2->79 81 Antivirus / Scanner detection for submitted sample 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 Multi AV Scanner detection for submitted file 2->85 9 msiexec.exe 92 29 2->9         started        13 AnyDesk.exe 3 2->13         started        16 AnyDesk.exe 2 2->16         started        18 7 other processes 2->18 process3 dnsIp4 71 192.168.2.3 unknown unknown 9->71 59 C:\Windows\Installer\78c344.msi, Composite 9->59 dropped 61 C:\Windows\Installer\78c341.msi, Composite 9->61 dropped 63 C:\Windows\Installer\MSIED31.tmp, PE32 9->63 dropped 65 3 other files (none is malicious) 9->65 dropped 20 msiexec.exe 1 2 9->20         started        22 msiexec.exe 3 9->22         started        73 boot.net.anydesk.com 92.223.88.41, 49176, 80 GCOREAT Austria 13->73 75 195.181.174.167, 443, 49175 CDN77GB United Kingdom 13->75 77 195.181.174.174, 49177, 6568 CDN77GB United Kingdom 13->77 95 Detected unpacking (changes PE section rights) 13->95 file5 signatures6 process7 process8 24 install.exe 5 3 20->24         started        29 expand.exe 4 20->29         started        31 icacls.exe 20->31         started        33 icacls.exe 20->33         started        35 cmd.exe 22->35         started        dnsIp9 69 80.209.241.3, 20000, 49178 HOSTKEY-USAUS United States 24->69 53 C:\programdata\anydesk.exe, PE32 24->53 dropped 87 Creates an undocumented autostart registry key 24->87 89 Hides user accounts 24->89 91 Uses netsh to modify the Windows network and firewall settings 24->91 93 Modifies the windows firewall 24->93 37 cmd.exe 24->37         started        39 cmd.exe 24->39         started        41 netsh.exe 24->41         started        43 AnyDesk.exe 1 24->43         started        55 C:\Users\user\AppData\...\install.exe (copy), PE32 29->55 dropped 57 C:\...\eee52229ee24a34cb61191d27a7b66f1.tmp, PE32 29->57 dropped file10 signatures11 process12 process13 45 anydesk.exe 23 6 37->45         started        49 AnyDesk.exe 1 39->49         started        51 cmd.exe 39->51         started        file14 67 C:\ProgramData\anydesk\AnyDesk.exe, PE32 45->67 dropped 97 Detected unpacking (changes PE section rights) 45->97 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->99 signatures15
Threat name:
Win32.Backdoor.Finfish
Status:
Malicious
First seen:
2022-06-20 18:03:11 UTC
File Type:
Binary (Archive)
Extracted files:
42
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery evasion persistence
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Drops file in Windows directory
Drops file in System32 directory
Checks installed software on the system
Enumerates connected drives
Modifies WinLogon
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Modifies Windows Firewall
Sets file execution options in registry

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments