Fluster.Installer.exe

Sample information


6

Antivirus detections

0

IDS alerts

4

Processes

0

Http events

2

Contacted hosts

2

DNS Requests

    10


    Score

Current activity of this Sample

Blacklist timeline

Generic Malware

Hybrid-Analysis

First seen: Sat Oct 21 2023 18:45:04 GMT+0000
Last seen: Sat Oct 21 2023 19:45:04 GMT+0000
Period: an hour
Hashes
Filename:
Fluster.Installer.exe
md5:
34a86d6210691332d17bb6a56c3bc0cc
sha1:
4a803d1ccf1865f98b1d45f391089316a9506d10
sha256:
374b1dede27caa6bc1ab61fff0efcb7a89aa212ac5c67e9fc55ac241346afffa

In depth details
Filetype:
PE32+ executable (console) x86-64, for MS Windows
Size (Bytes):
51200
Classification:
malicious

Dates
Indexed:
Sat Oct 21 2023 19:28:53 GMT+0000 (2 years ago)
Last modified:
Sat Oct 21 2023 19:45:04 GMT+0000 (2 years ago)

Developers can check API Specification here:

API Specification

Request:

          
curl -H "Authorization: Bearer <API_KEY>" https://api.maltiverse.com/sample/374b1dede27caa6bc1ab61fff0efcb7a89aa212ac5c67e9fc55ac241346afffa

Request:

Alternatively you can use Maltiverse Python3 Library: 
          
import requests
import json

url = 'https://api.maltiverse.com/sample/374b1dede27caa6bc1ab61fff0efcb7a89aa212ac5c67e9fc55ac241346afffa'
response = requests.get(url)
print(json.dumps(response.json(), indent=4, sort_keys=True))

Request:

          
$url = 'https://api.maltiverse.com/sample/374b1dede27caa6bc1ab61fff0efcb7a89aa212ac5c67e9fc55ac241346afffa'
$headers =  @{Authorization=("Bearer {0}" -f "<API_KEY>")}
$response = Invoke-RestMethod $url -Headers $headers
Write-Output $response

Response:

      
{
    "antivirus": [
        {
            "description": "W64.AIDetectMalware",
            "name": "Bkav"
        },
        {
            "description": "win/malicious_confidence_60% (D)",
            "name": "CrowdStrike"
        },
        {
            "description": "ML.Attribute.HighConfidence",
            "name": "Symantec"
        },
        {
            "description": "Trojan:Win32/Wacatac.H!ml",
            "name": "Microsoft"
        },
        {
            "description": "Trojan.Malware.300983.susgen",
            "name": "MaxSecure"
        },
        {
            "description": "MALICIOUS",
            "name": "DeepInstinct"
        }
    ],
    "av_ratio": 8,
    "blacklist": [
        {
            "count": 1,
            "description": "Generic Malware",
            "first_seen": "2023-10-21 19:45:04",
            "last_seen": "2023-10-21 19:45:04",
            "source": "Hybrid-Analysis"
        }
    ],
    "classification": "malicious",
    "contacted_host": [
        "192.30.255.112",
        "185.199.108.133"
    ],
    "creation_time": "2023-10-21 19:28:53",
    "dns_request": [
        "github.com",
        "objects.githubusercontent.com"
    ],
    "filename": [
        "Fluster.Installer.exe"
    ],
    "filetype": "PE32+ executable (console) x86-64, for MS Windows",
    "is_alive": false,
    "is_cdn": false,
    "is_cnc": false,
    "is_distributing_malware": false,
    "is_hosting": false,
    "is_iot_threat": false,
    "is_known_attacker": false,
    "is_known_scanner": false,
    "is_mining_pool": false,
    "is_open_proxy": false,
    "is_phishing": false,
    "is_sinkhole": false,
    "is_storing_phishing": false,
    "is_tor_node": false,
    "is_vpn_node": false,
    "md5": "34a86d6210691332d17bb6a56c3bc0cc",
    "modification_time": "2023-10-21 19:45:04",
    "process_list": [
        {
            "name": "Fluster.Installer.exe",
            "normalizedpath": "C:\\Fluster.Installer.exe",
            "sha256": "374b1dede27caa6bc1ab61fff0efcb7a89aa212ac5c67e9fc55ac241346afffa",
            "uid": "00000000-00006416"
        },
        {
            "commandline": "-Command if ((Get-ItemPropertyValue -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock' -Name 'AllowDevelopmentWithoutDevLicense') -eq 1) { Write-Output 'Developer Mode is already enabled.' } else { Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock' -Name 'AllowDevelopmentWithoutDevLicense' -Value 1; }",
            "name": "powershell.exe",
            "normalizedpath": "%WINDIR%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
            "sha256": "34507738f84b9d4f231dc0c187fee4a03b4ddb84cf63ff56a4a1761a9bd56ea6",
            "uid": "00000000-00006812"
        },
        {
            "commandline": "-Command if ((Get-ItemPropertyValue -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock' -Name 'AllowDevelopmentWithoutDevLicense') -eq 0) { Write-Output 'Developer Mode is already disabled.' } else { Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock' -Name 'AllowDevelopmentWithoutDevLicense' -Value 0; }",
            "name": "powershell.exe",
            "normalizedpath": "%WINDIR%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
            "sha256": "34507738f84b9d4f231dc0c187fee4a03b4ddb84cf63ff56a4a1761a9bd56ea6",
            "uid": "00000000-00001204"
        },
        {
            "commandline": "/c pause",
            "name": "cmd.exe",
            "normalizedpath": "%WINDIR%\\system32\\cmd.exe",
            "sha256": "ec436aeee41857eee5875efdb7166fe043349db5f58f3ee9fc4ff7f50005767f",
            "uid": "00000000-00007196"
        }
    ],
    "score": 10,
    "sha1": "4a803d1ccf1865f98b1d45f391089316a9506d10",
    "sha256": "374b1dede27caa6bc1ab61fff0efcb7a89aa212ac5c67e9fc55ac241346afffa",
    "size": 51200,
    "type": "sample"
}
Network contacts
DNS Requests
github.com
objects.githubusercontent.com
Contacted Hosts
192.30.255.112
185.199.108.133

Antivirus positives

Antivirus Threat
Bkav W64.AIDetectMalware
CrowdStrike win/malicious_confidence_60% (D)
Symantec ML.Attribute.HighConfidence
Microsoft Trojan:Win32/Wacatac.H!ml
MaxSecure Trojan.Malware.300983.susgen
DeepInstinct MALICIOUS
Process list
uid
00000000-00006416
commandline
name
Fluster.Installer.exe
normalizedpath
C:\Fluster.Installer.exe
sha256
374b1dede27caa6bc1ab61fff0efcb7a89aa212ac5c67e9fc55ac241346afffa
uid
00000000-00006812
commandline
-Command if ((Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock' -Name 'AllowDevelopmentWithoutDevLicense') -eq 1) { Write-Output 'Developer Mode is already enabled.' } else { Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock' -Name 'AllowDevelopmentWithoutDevLicense' -Value 1; }
name
powershell.exe
normalizedpath
%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe
sha256
34507738f84b9d4f231dc0c187fee4a03b4ddb84cf63ff56a4a1761a9bd56ea6
uid
00000000-00001204
commandline
-Command if ((Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock' -Name 'AllowDevelopmentWithoutDevLicense') -eq 0) { Write-Output 'Developer Mode is already disabled.' } else { Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock' -Name 'AllowDevelopmentWithoutDevLicense' -Value 0; }
name
powershell.exe
normalizedpath
%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe
sha256
34507738f84b9d4f231dc0c187fee4a03b4ddb84cf63ff56a4a1761a9bd56ea6
uid
00000000-00007196
commandline
/c pause
name
cmd.exe
normalizedpath
%WINDIR%\system32\cmd.exe
sha256
ec436aeee41857eee5875efdb7166fe043349db5f58f3ee9fc4ff7f50005767f