PUP.Fusion.B
Table of Contents
Analysis Report
General information
| Family Name: | PUP.Fusion.B |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
f28e3ba7330f1e9ebd1f949747f6c544
SHA1:
640dc72c622877f40e7c30137c637b394db22660
File Size:
8.89 MB, 8885632 bytes
|
|
MD5:
e8dcf46ea71a9362b3f328799e90ca93
SHA1:
5aa9959439bc647b63323325be8499d9fa173aac
SHA256:
6C8B031DE789E827F5F2CCF527B29990D57B801AA2A8F07D389BE1D7346DF6A7
File Size:
8.91 MB, 8912896 bytes
|
|
MD5:
10c79ab3e0032ec10f20294b20a557d5
SHA1:
1cafb18490e623ecc24b3367a81947931aef2d94
SHA256:
E2950FC2553BF2576A9738D93CBE96AADBD26EB038058D0B5F46F5D5959C51C5
File Size:
8.50 MB, 8504221 bytes
|
|
MD5:
3a165bc526821501c16effdb36603631
SHA1:
c45654ac2b56c4274ab28ad5732c986d1a370e9b
SHA256:
FA1868584FCAFA5673BD618A8BA2AE99F717160B094ED1D4D9A95AC20AE513BB
File Size:
8.88 MB, 8882656 bytes
|
|
MD5:
46de6669b9b26604ff251ca16e05a2bb
SHA1:
93f0997412da9f61b8eff3368028d6da410d71a4
SHA256:
4BBB17E047CC3ED790A10796B625722C0261F70D1BDDF3FE05210A641727C096
File Size:
6.29 MB, 6291456 bytes
|
Show More
|
MD5:
9f5beb71792c22445594e6de21b88776
SHA1:
c829993e7b960360c048e7e0ebcee54a35eab2b7
SHA256:
AE76B177EFF029BB82206FBC61CCB2D5BEAE0645F55CD0CC8F56691BE60DC051
File Size:
8.89 MB, 8887939 bytes
|
|
MD5:
ac873091adfbf3f12fb01842fcb1bd24
SHA1:
f6cf4dd98b728eb37edbd2ffa5a037d34b29f74c
SHA256:
2E1F34627D74861234492CABC643E3975AB76E3EED0A12C2AA52A9F2C48A4797
File Size:
647.89 KB, 647891 bytes
|
|
MD5:
b77d8831616480417c34c12bf014922b
SHA1:
4b57062813c1b1bbca9d419122e6cb8e988e3f46
SHA256:
0828D67FE264F46FB16594E4784ACC06C43F4F35A6A79A42C2627D3A3B21FB26
File Size:
2.78 MB, 2784973 bytes
|
|
MD5:
2ceb9b4721b9d9ac8487fd26008c4bd1
SHA1:
eba4d8a14e417613e0d8f1bafaeb485f8f97b983
SHA256:
F03CAA7BB76091A2E611B8592B6C1CC326A653565416E5CA467934FF4FBDE208
File Size:
3.25 MB, 3253136 bytes
|
|
MD5:
72136cf2db9cb4a4b7b63f86c392f98f
SHA1:
75e1705e6149ba31172d06238415d951d4f1c87e
SHA256:
A729FEAE717B22F2B82F633161F8F201299B0C368ABF1D5FE3ADC69FB505174B
File Size:
8.78 MB, 8778160 bytes
|
|
MD5:
dce20129d6a0ef63337ac882a955a393
SHA1:
2862237de072574f8e4d52df237d1b06b100507b
SHA256:
DA1768FC08922F9F890C10576A5E8C1AEB645795D5C2977F52174253D7D0B829
File Size:
6.48 MB, 6475056 bytes
|
|
MD5:
427b367f6b29375ca3887caf44b7930b
SHA1:
69860e6310022189a1ce770d587bc779bb2d0bf3
SHA256:
F1B67A565EA0731672E6E9F7CE1C0D39631B28349767D9C82310E5F0C224A783
File Size:
4.01 MB, 4009464 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has TLS information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Show More
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Comments |
|
| Company Name |
|
| File Description |
|
| File Version |
Show More
|
| Legal Copyright |
|
| Legal Trademarks | Format Factory Application is a trademark of FreeTime |
| Original Filename |
|
| Product Name |
|
| Product Version |
Show More
|
| Publisher | CDex.mu |
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Burnaware | COMODO RSA Code Signing CA | Self Signed |
| Canneverbe Limited | DigiCert SHA2 Assured ID Code Signing CA | Hash Mismatch |
| Tim Kosse | DigiCert SHA2 Assured ID Code Signing CA | Hash Mismatch |
File Traits
- dll
- HighEntropy
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 275 |
|---|---|
| Potentially Malicious Blocks: | 38 |
| Whitelisted Blocks: | 237 |
| Unknown Blocks: | 0 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
x
x
x
x
x
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
x
x
x
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
x
x
x
x
0
x
x
x
x
x
x
x
x
x
0
x
x
0
0
x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Brute.BH
- CobaltStrike.GI
- CobaltStrike.GIA
- Makoob.A
- Rozena.H
Show More
- Rozena.XC
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\users\user\appdata\local\temp\is-i1jp7.tmp\75e1705e6149ba31172d06238415d951d4f1c87e_0008778160.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-rl7pq.tmp\2862237de072574f8e4d52df237d1b06b100507b_0006475056.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-uoh5s.tmp\_isetup\_setup64.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\is-uoh5s.tmp\_isetup\_shfoldr.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\is-uoh5s.tmp\uvifmxfau.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsf6183.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsv6194.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsv6194.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsv6194.tmp\uac.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsv6194.tmp\userinfo.dll | Generic Write,Read Attributes |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Anti Debug |
|
| User Data Access |
|
| Keyboard Access |
|
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
"C:\Users\Xumkqemc\AppData\Local\Temp\is-I1JP7.tmp\75e1705e6149ba31172d06238415d951d4f1c87e_0008778160.tmp" /SL5="$60334,8280616,189952,c:\users\user\downloads\75e1705e6149ba31172d06238415d951d4f1c87e_0008778160"
|
"C:\Users\Hssaelqr\AppData\Local\Temp\is-RL7PQ.tmp\2862237de072574f8e4d52df237d1b06b100507b_0006475056.tmp" /SL5="$40354,5808465,502272,c:\users\user\downloads\2862237de072574f8e4d52df237d1b06b100507b_0006475056"
|
