Hash

Analysis
Report

"In cybersecurity, every hash carries a hidden story — some uphold trust, others
uncover threats. This hash analysis reveals a dark narrative: vigilance isn't a luxury, it's
a fundamental necessity."

Prepared By : Vishal Suthar Date: 11-03-2025

Table of Content

1. Executive summary
2. Hash information
3. IOC ( Indicator of Compromise)
• contacted ip addresses
• contacted domains
• contacted URL
• graph summary
4. Behaviour analysis
• Network Communication
• Process Action
• Key Behaviour of Hash
5. conclusion
1.Executive summary
The submitted file is an executable (.exe), analyzed using a malware detection platform (likely VirusTotal). The
results indicate a high probability of malicious intent, as 51 out of 72 security vendors have flagged the file as
malicious. The file's nature and behavior suggest it may pose a significant threat to the system if executed.
Detection Insights:
• The file has been classified under multiple malware categories, including:

o Trojan: Capable of unauthorized access or control (e.g., Win32:Trojan-gen,

Trojan.NSIS.Agent).
o Adware: May display intrusive advertisements or install unwanted software (e.g.,
Gen:Variant.Adware.iBryte.29, ADWARE/iBryte.bxpa).
o Downloader: Potentially downloads and executes additional malicious files from remote
servers (e.g., TrojanDownloader:Application/Adload.d,
GrayWare[Downloader]/Win32.Adload.gen).
• The high detection rate (51/72) clearly indicates that the file is highly suspicious and potentially
harmful.
• The presence of tags like NSIS (Nullsoft Scriptable Install System), runtime-modules, and overlay
suggests the file could be a packed malware or installer-based threat, making it harder to detect through
traditional methods.
Recommendations:

• Avoid executing the file under any circumstances.

• Immediately isolate and delete the file if found on any system to prevent potential system compromise.
• Perform dynamic analysis in a sandbox environment to understand its full behavior, including any
payload download attempts.
• Monitor network traffic and check for suspicious outbound connections if the file has been previously
executed, as it may have established remote access or downloaded additional payloads.
• Strengthen endpoint security and perform a full system scan using a reputable antivirus or endpoint
detection and response (EDR) solution.
2.Hash Information

• Hash Name:

988ffe0676b80b8bb6275199a281e0a4d0581919663b4dcdbc8cf18d8e11d5a6

• File Name: 075a794ae38872d36059a46b84a117d5.virus

• Hashes

o MD5: 075a794ae38872d36059a46b84a117d5

o SHA-1: 4290bb627384540dab505a85b15f1aa326efe3d9

o SHA-256:
988ffe0676b80b8bb6275199a281e0a4d0581919663b4dcdbc8cf18d8e11d5a6

o Vhash: 015056655d1c05109043z800437z47z62z4103

o Authentihash:
6eaf416d08fdc90e5f1ca028ec04169cc5069eb22b0b1e14df99576b9275b7c7

o Imphash: 7ed0d71376e55d58ab36dc7d3ffda898

o Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

o TrID: InstallShield setup (36.1%) Win32 Executable MS Visual C++ (generic)

(26.2%) Win64 Executable (generic) (23.2%) Win32 Dynamic Link Library
(generic) (5.5%)

o SSDEEP:
o 1536:D0YBsBE3ain2Q5xq10DZYzIaDyI9/x0wVQMwBMkqq/uzEfkV9:gnBTi2CR
DZYzIaFQMwaj2kv

o F-PROT packer: NSIS

• File Type: Win32 EXE

• File Size: 151.98 KB (155632 bytes)
• Detection Rate: 51/72 security vendors flagged this file as malicious
• Community Score: 0 (Indicating high suspicion)

Timeline & History:

• Creation Time - 2014-05-11 20:04:44 UTC
• First Submission - 2020-01-14 18:41:17 UTC

• Last Submission -2020-03-30 01:40:58 UTC

• Last Analysis - 2020-03-30 01:40:58 UTC

3.IOC ( Indicator of Compromise)
➢ IOC Methods
• Scan the file for malicious hashes using VirusTotal.
• Check for IP addresses, domains, and URLs in the file that might connect to external
servers.
Example IOC Findings:
➢ Contacted IP addresses:

IP Address Detections (out of 94)

103.224.182.243 3 / 94

204.11.56.48 3 / 94

3.223.115.185 1 / 94

52.217.171.101 0 / 94

91.195.240.41 0 / 94

➢ Contacted domains:

Domain Detections Created

aff-software.s3-website-us-east-1.amazonaws.com 6 / 94 2005-08-18
cloudfront.net 0 / 94 2008-04-25
comodoca.com 0 / 94 2002-11-13
d14fidyjqoxydf.cloudfront.net 0 / 94 2008-04-25
d2w2iwyju0dnjt.cloudfront.net 1 / 94 2008-04-25
downloadactivation.com 0 / 94 2024-11-24
downloadfastfree.com 1 / 94 2019-01-12
fusioninstall.com 1 / 94 2023-01-02
imp.fusioninstall.com 4 / 94 2023-01-02
ocsp.comodoca.com 0 / 94 2002-11-13
s3-website-us-east-1.amazonaws.com 0 / 94 2005-08-18
ww1.downloadfastfree.com 0 / 94 2019-01-12
www.downloadfastfree.com 0 / 94 2019-01-12
➢ Contacted URL:

Domain Detections Status

imp.fusioninstall.com Multiple 403/200

ocsp.comodoca.com 0 / 96 200

www.downloadfastfree.com 0 / 94 200

aff-software.s3-website-us-east-
6 / 94 403
1.amazonaws.com

d14fidyjqoxydf.cloudfront.net 3 / 93 403

d2w2iwyju0dnjt.cloudfront.net 1 / 89 200

downloadactivation.com 0 / 96 200

fusioninstall.com Multiple 403/200

ww1.downloadfastfree.com 0 / 72 200
➢ Graph Summary:

The graph represents the relationship and behavior of a Portable Executable (PE) file
(malware) and its subsequent activities in the infected environment. Below is a detailed
breakdown of the graph, including the impact of each interaction.

➢ Main Entity: PE File (Malware)

o Central Node: The PE (Portable Executable) file acts as the primary carrier of malicious
code.
o This file is responsible for initiating all malicious activities, such as dropping files, contacting
remote servers, and embedding resources.

5 Contacted IPs:
The malware communicated with 5 remote IPs, likely Command and Control (C2) servers
for data exfiltration, remote control, or downloading further payloads.

13+ Contacted Domains:

The malware contacted 13+ domains, suggesting it may be fetching additional malicious
components or exfiltrating sensitive data.

4 Dropped Files:
It dropped 4 files (DLL, EXE, or Scripts) on the system, which may be used to maintain
persistence, deploy payloads, or bypass security controls.

25+ Contacted URLs:

The malware accessed over 25 URLs, possibly for phishing sites, malicious downloads, or
C2 communication.

1 PE Resource Children:
The malware contains one embedded resource (like an embedded DLL, script, or shellcode),
which could further execute malicious tasks when triggered.

➢ Threat Level: Critical

This malware is highly dangerous as it:

o Maintains active communication with remote servers.
o Drops files to expand malicious activities.
o Has embedded resources to hide malicious payloads.
4.Behaviour analysis

➢ Network Communication

1. HTTP Requests
These are outbound requests made from an infected system to different URLs. The URLs
listed indicate potential malicious activity, primarily related to:
• Suspicious download sites like downloadfastfree.com, downloadactivation.com,
and fusioninstall.com
• Cloud-based delivery networks (cloudfront.net and amazonaws.com), which may be
used for hosting malware
• Executable file downloads (Cloud_Backup_Setup.exe, mw360_dist.exe, rt-
installer.exe), indicating possible installation of malicious software.

2. DNS Resolutions
The system attempted to resolve domain names to IP addresses, showing communication with:

• Cloudfront and AWS services (common for malware distribution)

• Fusioninstall.com, which is often associated with potentially unwanted programs
(PUPs)

3. IP Traffic
The infected system established TCP connections to various IP addresses, predominantly
over port 80 (HTTP). This behavior is consistent with:

• The presence of multiple .exe file downloads suggests that this activity may be
related to malware distribution.
• Domains like fusioninstall.com and downloadfastfree.com are known to be
associated with potentially unwanted applications (PUAs) or adware.
• AWS and CloudFront are often used to host malicious payloads.

➢ Process Actions:

1. Legitimate Windows Processes:

o svchost.exe, services.exe: Normal Windows processes, but often targeted or
abused by malware for persistence.
2. Suspicious Executables:
o 075a794ae38872d36059a46b84a117d5.exe: Acts as a malware dropper,
launching malicious processes.
o rt-installer.exe, aff_setup.exe: Possibly adware or unwanted software
installers.
o Malware360Installer.exe: Likely a Trojan disguised as antivirus software,
installing more malware.
o Temporary Files (.tmp): Used to unpack malicious code and deploy
secondary payloads.
o iexplore.exe, ie4uinit.exe: Internet Explorer is launched to connect with a
Command and Control (C2) server or download additional malware.
3. Possible Infection Chain:
o Dropper.exe → Temporary Files → Malware Installers → C2
Communication.
o Malware gains persistence, downloads more payloads, and may steal data.
4. Threat Indicators:
o Malware Dropper, Fake Antivirus, C2 Communication, Browser
Hijacking.
o Risk of data theft, system control, or further malware infection.
5. Recommended Actions:
o Disconnect the system from the network immediately.
o Perform a deep malware scan and remove malicious files.
o Check and delete startup or registry persistence.
o Monitor network traffic to block suspicious IPs.
o Consider a system rebuild if the infection persists.

➢ Threat Level: CRITICAL – High risk of data exfiltration, system control, and
further malware deployment.

➢ Key Behavior of the Hash

1. Disable Close Message of Window

• Behavior: The malware disables the close message of the installation window,
preventing the user from closing it manually.
• Detail Info:
o hWnd = 0x00030318: This is the window handle reference.
o Text = Software Setup: Installing: The malware presents a fake installation
window to mislead the user.
o ClassName = #32770: This class is a standard Windows dialog box often
used for installation or pop-up messages.
• Purpose:
o The malware is using this behavior to ensure the user does not interrupt the
installation process, allowing the payload to execute completely.
o Preventing the user from closing the window increases the chance of
successful malware deployment.
• Impact:
o The user cannot terminate the installation manually.
o Ensures full malware deployment without user interference.
o Could be used as a social engineering tactic.

2. Set Special Directory Property

• Behavior: The malware attempts to access various directories, mainly associated with
user browsing history, cache, and cookies.
• Detail Info:
o Accessed Paths:
▪ C:\Documents and Settings\Administrator\Local
Settings\Temporary Internet Files
▪ C:\Documents and Settings\Administrator\Local Settings\History
▪ C:\Documents and Settings\Administrator\Cookies
▪ C:\Documents and Settings\Administrator\Local
Settings\History\History.IE5
▪ C:\Documents and Settings\Administrator\Local
Settings\Temporary Internet Files\Content.IE5
• Purpose:
o The malware is trying to steal stored session cookies, browsing history, and
cache data.
o Cookies may contain authentication tokens, allowing the attacker to hijack
active sessions.
o History provides insights into websites visited, aiding in future phishing
attacks or further exploitation.
• Possible Actions:
o Exfiltration of user browsing history, login credentials, and cookies.
o Hijack of browser sessions to gain unauthorized access to user accounts.
o Data theft for monetization on dark web forums.
• Impact:
o Compromised user privacy.
o Theft of online banking credentials, social media accounts, and stored login
sessions.
o Unauthorized access to sensitive user data.

3. Get TickCount Value

• Behavior: The malware retrieves the system uptime using the TickCount function
and performs a sleep function every 10 milliseconds.
• Detail Info:
o Example values of TickCount:
▪ TickCount = 401135, SleepMilliseconds = 10
▪ TickCount = 404244, SleepMilliseconds = 10
▪ TickCount = 404369, SleepMilliseconds = 10
• Purpose:
o Anti-Analysis Technique: The malware uses TickCount to measure system
uptime. If the uptime is too low, it assumes it's running in a virtual sandbox
(used for malware analysis) and terminates execution.
o Delayed Execution: Adding sleep delays allows the malware to bypass real-
time analysis tools by slowing down its execution.
o Sandbox Evasion: If the system uptime is very low, the malware assumes it's
being analyzed and may not execute its payload.
• Malicious Intent:
o Ensure the malware can avoid detection in dynamic analysis (sandbox
environment).
o Guarantee successful execution on real user systems.
o Trick antivirus software by slowing down its execution.
• Impact:
o Successful malware evasion.
o Bypass of sandbox environments and antivirus solutions.
o Full execution of malicious payload without interruption.

4. Persistence Mechanism (Hidden Behavior)

• Behavior: The malware uses temporary files, and setting special directories also hints
that it may drop additional payloads.
• Potential Files Created:
o Temporary files in %TEMP% folder or C:\Windows\Temp\
o Possible unpacking of hidden payloads.
o Creation of registry keys to ensure the malware runs every time the system
boots.
• Purpose:
o Establish persistence by modifying registry keys or system startup.
o Drop secondary malware payloads (such as keyloggers, trojans, or
ransomware).
• Indicators of Persistence:
o Accessing Temporary Internet Files may indicate downloading additional
payloads.
o Creating .tmp files suggest unpacking of malicious code.
• Impact:
o Continuous malware operation even after a system reboot.
o Installation of secondary malware like keyloggers, ransomware, or trojans.
o Persistent network communication to a C2 server.

➢ Action Needed Immediately

o Isolate the System.

o Scan and Remove Malware.
o Check Startup Entries (Using Autoruns).
o Analyze Network Traffic.
o Block Malicious Domains/IPs.
5. Conclusion
The analysis of the file
988ffe0676b80b8bb6275199a281e0a4d0581919663b4dcdbc8cf18d8e11d5a6 confirms that
it poses a high-security risk and is categorized as a Trojan Downloader with Adware
capabilities. It has been flagged as malicious by 51 out of 72 security vendors, confirming
its dangerous nature. Immediate actions should be taken to avoid damage or data loss.

Recommended Actions (Immediate Steps):

1. 🗑 Delete the File: Immediately delete the file from your system and empty the
Recycle Bin.

2. 🛡 Full System Scan: Run a full antivirus scan using Windows Defender,
Malwarebytes, or Kaspersky to detect and remove threats.

3. Monitor Network Traffic: Check for suspicious network activity using Wireshark
or Netstat and block any unknown IPs/domains.

4. Isolate Infected System: If in a network, disconnect the infected device to prevent

lateral movement or data theft.

5. 🗂 Remove Malware Traces: Check Startup Items, Task Manager, and Registry for
unknown processes or files and delete them.

6. User Awareness: Educate users to avoid downloading software from untrusted

sources or clicking unknown links.

7. Reanalyze (Optional): If necessary, submit the file for fresh sandbox analysis to
uncover any hidden threats.

Final Verdict:

DO NOT TRUST THIS FILE.

• It is confirmed to be a Trojan-Downloader with Adware capabilities, capable of

downloading further malware payloads.
• It can potentially steal data, compromise the system, install ransomware, or create
backdoors.
• Immediate removal and system isolation are strongly recommended.

Stay vigilant & practice cybersecurity hygiene!