Trojan.Downloader.Firseria

By CagedTech in Trojans

Threat Scorecard

Popularity Rank:	12,620
Threat Level:	80 % (High)
Infected Computers:	709

First Seen:	August 22, 2018
Last Seen:	January 7, 2026
OS(es) Affected:	Windows

Table of Contents

Analysis Report

General information

Family Name:	Trojan.Downloader.Firseria
Packers:	UPX
Signature status:	Root Not Trusted

Known Samples

MD5: 74419fcafd5b0cf8b66b4040a824442b

SHA1: 045a0700ba81030a479fd6f041d5eb1a388cdc3d

SHA256: A676B802990386764F43AA6FC32034458CA499B765E5B08F19A314759BBE52AF

File Size: 526.43 KB, 526432 bytes

MD5: b2e4e7069c57a165c3c609d5ea9a4cef

SHA1: ff02bfbada66239b68e2cd2e66020238f7551964

SHA256: 765C8BF1009D1F39A2EB1147082F5BA58603F96F7860D3C33BEE5DC6542F967D

File Size: 178.02 KB, 178024 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have security information
File has been packed
File is 32-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)

File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Company Name	Rapiddown
File Description	DownloaddMger
File Version	1.0.0.27
Internal Name	install
Legal Copyright	copyright·©·2013
Original Filename	¡nstal·exe
Product Version	3.0.26

Digital Signatures

Signer	Root	Status
RAPIDDOWN	DigiCert Assured ID Root CA	Root Not Trusted

Block Information

Total Blocks:	628
Potentially Malicious Blocks:	27
Whitelisted Blocks:	600
Unknown Blocks:	1

Visual Map

1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 x x x x x x x x x x x x ? 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x x 0 0 0 0 x x x x x x x 0 0 x 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 1 1 1 1 2 0 1 0 0 0 0 0 0 1 0 0 1 1 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 2 0 0 1 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 2 0 0 0 1 1 0 1 1 0 0 1 0 1 1 0 0 0 1 0 0 0 0 0 0 0 0 0 1 1 1 0 3 1 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 2 3 0 0 0 0 1 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File	Attributes
c:\users\user\appdata\local\temp\n1890\s1890.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\n3836\ins3836.exe	Generic Write,Read Attributes
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\8dfdf057024880d7a081afbf6d26b92f	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\9a19adad9d098e039450abbedd5616eb_90988534438596fe5d238c3ba6208526	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\a89dfcc31c360ba5cbd616749b1b1c5d	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\8dfdf057024880d7a081afbf6d26b92f	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\9a19adad9d098e039450abbedd5616eb_90988534438596fe5d238c3ba6208526	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\a89dfcc31c360ba5cbd616749b1b1c5d	Generic Read,Write Data,Write Attributes,Write extended,Append data

c:\windows\assembly

Synchronize,Write Attributes

Registry Modifications

Key::Value	Data	API Name
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Windows\SystemTemp\a9dd6c3f-d641-4292-855a-e9c09c1b694b.tmp\??\C:\Windows\SystemTemp\85968c61-a19d-4e7b-a80f-d2a1fc3c08	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Windows\SystemTemp\a9dd6c3f-d641-4292-855a-e9c09c1b694b.tmp\??\C:\Windows\SystemTemp\85968c61-a19d-4e7b-a80f-d2a1fc3c08	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey

HKLM\software\microsoft\systemcertificates\authroot\certificates\4eb6d578499b1ccf5f581ead56be3d9b6744a5e5::blob	់㇤㹧ৢ䗾鍗૳ᳺứ霞輫穆轙⊩㢅즔Sc愰ℰଆ虠ňŅᜇ〆〒ؐ⬊ĆĄ㞂ļ́ダ؟怉䢆蘁泽ĂሰူਆثЁ舁㰷āȃ쀀ᬰԆ腧Č〃〒ؐ⬊ĆĄ㞂ļ́翀Ā⨀　ب⬈Ćԅ̇؂⬈Ćԅ̇؃⬈Ćԅ̇؄⬈Ćԅ̇ँĀ⨀　ب⬈Ćԅ̇؂⬈Ćԅ	RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\4eb6d578499b1ccf5f581ead56be3d9b6744a5e5::blob		RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\root\certificates\be36a4562fb2ee05dbb3d32323adf445084ed656::blob	\Ѐ볝蚽㾜ࠛ컯퇄춈ᔻᰘ兘槹镹⍋.Thawte Timestamping CA ਰࠆثԁ܅ࠃ㚾嚤눯׮돛⏓괣䗴丈囖晿煺硩騠ᑑ莝⃚ꗨ뺘芄ﺎ炮ᔑ㔁뉶 ʥ	RegNtPreCreateKey

Windows API Usage

Category	API
Anti Debug	IsDebuggerPresent
User Data Access	GetUserObjectInformation
Process Manipulation Evasion	NtUnmapViewOfSection
Process Shell Execute	ShellExecuteEx
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcConnectPort ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcCreateResourceReserve ntdll.dll!NtAlpcCreateSecurityContext ntdll.dll!NtAlpcDeleteSecurityContext ntdll.dll!NtAlpcDisconnectPort ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcQueryInformationMessage Show More ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtAlpcSetInformation ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtCancelWaitCompletionPacket ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateIoCompletion ntdll.dll!NtCreateKey ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer2 ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtCreateWorkerFactory ntdll.dll!NtDeleteValueKey ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtGetCompleteWnfStateSubscription ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenThread ntdll.dll!NtOpenThreadToken ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtPowerInformation ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryEvent ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryObject ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryWnfStateData ntdll.dll!NtQueueApcThread ntdll.dll!NtReadFile ntdll.dll!NtReadRequestData ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtResumeThread ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationObject ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationThread ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSetSecurityObject ntdll.dll!NtSetTimer2 ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtTraceEvent ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtUnsubscribeWnfStateChange ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForMultipleObjects ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWorkerFactoryWorkerReady 2 additional items are not displayed above.
Encryption Used	BCryptOpenAlgorithmProvider CryptAcquireContext

Shell Command Execution


							 s1890.exe 30cb3dae7b4f397e0a5a9108uL6KamSNxbsl/Wecags7y73LNZQPW+uSWU5Sxg0COmpLiC8ruo5Ai5eK+m4joydHyxhFdkZhMfDq/FUByLH/A94eOVBWUT8vyjWSp2hv3Unjvp01lNZhove/rME9gL7OjVdIknuE0ZY4ya5zarIcTR6J /v "c:\users\user\downloads\045a0700ba81030a479fd6f041d5eb1a388cdc3d_0000526432"


							open C:\Users\Kbbzzxwt\AppData\Local\Temp\\n3836\ins3836.exe ins.exe /e5610583 /u50d1d9d5-cf90-407c-820a-35e05bc06f2f

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Trojan.Downloader.Firseria

Threat Scorecard

EnigmaSoft Threat Scorecard

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

Digital Signatures

Digital Signatures

Block Information

Block Information

Visual Map

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

'Ravnateljstvo Policije' Ransomware

TROJ_SCRIPBRID.A

Trojan Downloader.Win32.Devsog!k

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen

How to Fix 'macOS cannot verify that this app is...