» f5795b.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

f5795b.exe

The executable f5795b.exe has been detected as malware by 40 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘F5795B’.

File name:

f5795b.exe

MD5:

dd36619db8c11366235a4a78f9b85913

SHA-1:

8e429bbab3c9c6ab2c4fe5d651747640942d7be6

Scanner detections:

40 / 68

Status:

Malware

Analysis date:

5/22/2024 2:14:31 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

GenPack:Backdoor.Generic.199964

1103

Agnitum Outpost

Backdoor.FlyAgent

7.1.1

AhnLab V3 Security

Win32/Flystudio.worm.Gen

2013.11.28

Avira AntiVirus

TR/Dropper.Gen

7.11.116.34

avast!

Win32:EvilEPL [Cryp]

2014.9-140128

AVG

Win32/Heur

2015.0.3581

Baidu Antivirus

Worm.Win32.AutoRun

4.0.3.14128

Bitdefender

GenPack:Backdoor.Generic.199964

1.0.20.140

Bkav FE

W32.FlyStudioTn

1.3.0.4562

Clam AntiVirus

Worm.FlyStudio-15

0.98/18155

Comodo Security

TrojWare.Win32.TrojanDropper.Flystud.~d01

17348

Dr.Web

Win32.HLLW.Autoruner.26035

9.0.1.028

Emsisoft Anti-Malware

GenPack:Backdoor.Generic.199964

8.14.01.28.11

ESET NOD32

Win32/AutoRun.FlyStudio.SJ

8.9105

Fortinet FortiGate

W32/PckdFlyStudio.gen

1/28/2014

F-Prot

W32/Nuj.A.gen

v6.4.7.1.166

F-Secure

Trojan-Dropper:W32/Peed.gen!A

11.2014-28-01_3

G Data

GenPack:Backdoor.Generic.199964

14.1.22

IKARUS anti.virus

Worm.Win32.FlyStudio

t3scan.2.2.29

K7 AntiVirus

Trojan

13.174.10333

Kaspersky

Trojan-Downloader.Win32.FlyStudio

14.0.0.4398

Malwarebytes

Worm.AutoRun.H

v2014.01.28.11

McAfee

W32/Autorun.worm.ev

5600.7237

Microsoft Security Essentials

Backdoor:Win32/FlyAgent.F

1.163.1557.0

MicroWorld eScan

GenPack:Backdoor.Generic.199964

15.0.0.84

NANO AntiVirus

Trojan.Win32.FlyStudio.lbopl

0.28.0.56420

Norman

FlyAgent.CX

11.20140128

nProtect

Trojan-Dropper/W32.FlyStudio.1415786

13.11.28.02

Panda Antivirus

Bck/Wutau.B

14.01.28.11

Quick Heal

Backdoor.FlyAgent.F

1.14.12.00

Reason Heuristics

Unnamed.Threat.69

14.3.6.10

Rising Antivirus

PE:Worm.Win32.Agent.aaq!1075178983

23.00.65.14126

Sophos

Mal/EncPk-NB

4.95

SUPERAntiSpyware

Trojan.Agent/Gen-Fly[Large]

10818

Total Defense

Win32/Nuj.IX

37.0.10498

Trend Micro House Call

TROJ_GEN.F47V0624

7.2.28

Trend Micro

WORM_AUTORUN.SMW

10.465.28

Vba32 AntiVirus

TrojanDownloader.FlyStudio

3.12.24.3

VIPRE Antivirus

Trojan.Win32.Autorun.dm

23802

ViRobot

Trojan.Win32.A.Downloader.1415786.A

2011.4.7.4223

File size:

1.4 MB (1,415,786 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Windows\System32\f6a9d1\f5795b.exe

File PE Metadata

Compilation timestamp:

12/25/1972 1:33:23 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

4.0

CTPH (ssdeep):

24576:HcrdqMocscoY2uDjJkVIq/18INypTxCuHCOO/Vp7VOO5246ZvihJ+JBuovwi4M5M:HZMoeoYfD1CIivWELpJ724jhMJLwmM

Entry address:

0x1380

Entry point:

52, 56, 51, 50, 53, 2B, D2, 57, 0F, 84, B8, FF, FF, FF, 9F, A1, 9B, 28, 7F, 32, E6, 92, 81, EE, 27, 02, 00, 00, E9, 23, 00, 00, 00, 18, F5, FB, 98, FF, C1, 5E, E9, E9, FF, FF, FF, 69, E7, 1A, E2, 12, 18, 0F, 84, 47, 00, 00, 00, 0F, 82, E1, FE, FF, FF, B6, 04, DF, C7, 5B, F7, 06, FF, FF, FF, FF, F9, 0F, 82, E2, FF, FF, FF, C3, 96, AC, EC, 8B, DE, E9, E0, FE, FF, FF, 26, 79, A5, 84, 01, E7, 0F, 85, 0B, 00, 00, 00, F9, 0F, 82, E6, FF, FF, FF, 76, 88, 73, 7B, 8B, 06, E9, FE, FE, FF, FF, E0, BC, A7, D9, B0, 95... 
[+]

Entropy:

7.9537 (probably packed)

Code size:

24 KB (24,576 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

F5795B

Command:

C:\Windows\System32\f6a9d1\f5795b.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to ec2-52-0-217-44.compute-1.amazonaws.com (52.0.217.44:80)

Remove f5795b.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.