» fassurun_as.exe
Overview
Analysis
File Details
Downloads (1)

fassurun_as.exe

fassurun

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application fassurun_as.exe by fassurun has been detected as adware by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from vzbucket.appscion.com.

File name:

fassurun_as.exe

Publisher:

fassurun (signed and verified)

MD5:

5d01e761656e813b65808783271b548c

SHA-1:

b9ae946dd4832636bdc190dccae8e05cde11b9a8

SHA-256:

72b3f9cbeecc26a95bb532713440db061488c0ea30bb05da9f1d20163007474b

Scanner detections:

5 / 68

Status:

Adware

Explanation:

Injects advertising in the web browser in various formats.

Analysis date:

5/1/2024 7:08:38 PM UTC (today)

Scan engine

Detection

Engine version

ESET NOD32

Win32/BrowseFox

7.9188

Reason Heuristics

PUP.fassurun.L

14.8.7.21

Rising Antivirus

NS:PUF.SilenceInstaller!1.9DDF

23.00.65.131220

VIPRE Antivirus

Trojan.Win32.Generic

24494

XVirus List

Win32.Detected

2.8.7

File size:

198 KB (202,736 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\fassurun_as.exe

Digital Signature

Signed by:

fassurun

Authority:

VeriSign, Inc.

Valid from:

8/21/2013 3:00:00 AM

Valid to:

8/21/2015 2:59:59 AM

Subject:

CN=fassurun, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=fassurun, L=San Diego, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

6EA3A2D62F7379560AF4974E60282338

File PE Metadata

Compilation timestamp:

12/6/2009 12:50:41 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

3072:TLk395hYXJsCV+7eniqhnIJkf25tquQ91jGW4k9anH7l1m/GqMHJGULvi:TQqDV+8iq615tB01jGxkYnH7nm/G/Hcp

Entry address:

0x30CB

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Packer / compiler:

Nullsoft install system v2.x

Code size:

22.5 KB (23,040 bytes)

The file fassurun_as.exe has been seen being distributed by the following URL.

http://vzbucket.appscion.com/.../fassurun_as.exe

Remove fassurun_as.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.