File name:

FileZilla_3.67.0_win64_sponsored2-setup.exe

Full analysis: https://app.any.run/tasks/b66f24b5-ee69-4db9-bbd4-97fcbaa8c6e5
Verdict: Malicious activity
Analysis date: April 26, 2024, 04:55:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

E4ACF0E303E9F1371F029E013F902262

SHA1:

180F686F2AFE1AD0AC6F3498E70AF910FCBCE620

SHA256:

9BE2103D3418D266DE57143C2164B31C27DFA73C22E42137F3FE63A21F793202

SSDEEP:

98304:mrCHbIa9rYHGaqIGfqdr0qTxR7taD08ELRBX8YPi83BTqk4Sm7hPN50m7OXLV4Ji:iE5f2PcScEDFhoXt+1DNb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 1072)
      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)
      • uninstall.exe (PID: 3084)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 1072)
      • uninstall.exe (PID: 3084)
      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)

    • Application launched itself

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 1072)

    • Searches for installed software

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)

    • The process creates files with name similar to system file names

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 1072)
      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)
      • uninstall.exe (PID: 3084)

    • Executable content was dropped or overwritten

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)
      • uninstall.exe (PID: 3084)
      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 1072)

    • Creates a software uninstall entry

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)

    • Creates/Modifies COM task schedule object

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)

  • INFO

    • Reads the computer name

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 1072)
      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)
      • uninstall.exe (PID: 3084)

    • Create files in a temporary directory

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 1072)
      • uninstall.exe (PID: 3084)
      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)

    • Checks supported languages

      • uninstall.exe (PID: 3084)
      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 1072)
      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)

    • Creates files in the program directory

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 02:09:43+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3645
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.67.0.0
ProductVersionNumber: 3.67.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Tim Kosse
FileDescription: FileZilla FTP Client
FileVersion: 3.67.0
LegalCopyright: Tim Kosse
OriginalFileName: FileZilla_3.67.0_win32-setup.exe
ProductName: FileZilla
ProductVersion: 3.67.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start filezilla_3.67.0_win64_sponsored2-setup.exe filezilla_3.67.0_win64_sponsored2-setup.exe uninstall.exe

Process information

PID
CMD
Path
Indicators
Parent process
1072"C:\Users\admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe" C:\Users\admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe
explorer.exe
User:
admin
Company:
Tim Kosse
Integrity Level:
MEDIUM
Description:
FileZilla FTP Client
Version:
3.67.0
Modules
Images
c:\users\admin\appdata\local\temp\filezilla_3.67.0_win64_sponsored2-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
2268"C:\Users\admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe" /UAC:1C018A /NCRC C:\Users\admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe
FileZilla_3.67.0_win64_sponsored2-setup.exe
User:
admin
Company:
Tim Kosse
Integrity Level:
HIGH
Description:
FileZilla FTP Client
Version:
3.67.0
Modules
Images
c:\users\admin\appdata\local\temp\filezilla_3.67.0_win64_sponsored2-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
3084"C:\Program Files\FileZilla FTP Client\uninstall.exe" /frominstall /keepstartmenudir _?=C:\Program Files\FileZilla FTP ClientC:\Program Files\FileZilla FTP Client\uninstall.exe
FileZilla_3.67.0_win64_sponsored2-setup.exe
User:
admin
Company:
Tim Kosse
Integrity Level:
HIGH
Description:
FileZilla FTP Client
Exit code:
0
Version:
3.65.0
Modules
Images
c:\program files\filezilla ftp client\uninstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
Total events
7 262
Read events
7 213
Write events
33
Delete events
16

Modification events

(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileZilla3CopyHook
Operation:delete keyName:(default)
Value:
(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32
Operation:delete keyName:(default)
Value:
(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}
Operation:delete keyName:(default)
Value:
(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\FileZilla 3\fzshellext
Operation:delete valueName:Enable
Value:

(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\FileZilla 3\fzshellext
Operation:delete keyName:(default)
Value:
(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\FileZilla 3
Operation:delete keyName:(default)
Value:
(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
116
(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
117
(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
118
(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Users\admin\AppData\Local\Temp\nsm56C5.tmp
Executable files
36
Suspicious files
38
Text files
687
Unknown types
85

Dropped files

PID
Process
Filename
Type
1072FileZilla_3.67.0_win64_sponsored2-setup.exeC:\Users\admin\AppData\Local\Temp\nsgE0BA.tmp\System.dllexecutable
MD5:4ADD245D4BA34B04F213409BFE504C07
SHA256:9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
1072FileZilla_3.67.0_win64_sponsored2-setup.exeC:\Users\admin\AppData\Local\Temp\nsgE0BA.tmp\UserInfo.dllexecutable
MD5:D458B8251443536E4A334147E0170E95
SHA256:4913D4CCCF84CD0534069107CFF3E8E2F427160CAD841547DB9019310AC86CC7
2268FileZilla_3.67.0_win64_sponsored2-setup.exeC:\Program Files\FileZilla FTP Client\fzsftp.exeexecutable
MD5:1035E5D9386199763A1F683EC4644BF4
SHA256:BD4270C0FB61378B8C8F6720E5BB55921783D9255144D34CD13DD575B5C2B41B
2268FileZilla_3.67.0_win64_sponsored2-setup.exeC:\Program Files\FileZilla FTP Client\GPL.htmlhtml
MD5:11E176C5E0120EE94E365F999084BCE8
SHA256:F7E89C1EDBBEF8BC837B47C48113A2416F1AF0CFC2B2218DA39085465EA1045C
3084uninstall.exeC:\Users\admin\AppData\Local\Temp\nsm56C5.tmpexecutable
MD5:C0059824F380C47A4F12FE7E97805150
SHA256:E2DBC8AC85700DE7DD15F4844C356394C8C1A0AE717D6652902857D515C3F606
3084uninstall.exeC:\Users\admin\AppData\Local\Temp\nsx5667.tmp\UserInfo.dllexecutable
MD5:98FF85B635D9114A9F6A0CD7B9B649D0
SHA256:933F93A30CE44DF96CBC4AC0B56A8B02EE01DA27E4EA665D1D846357A8FCA8DE
3084uninstall.exeC:\Users\admin\AppData\Local\Temp\nsh5656.tmpbinary
MD5:83C7A3C549E69D9C0611883B4FEE89AD
SHA256:A1977B353A536536E087556A12A6E103EF90699DBF625AF636E7969A4292EFDA
2268FileZilla_3.67.0_win64_sponsored2-setup.exeC:\Program Files\FileZilla FTP Client\NEWStext
MD5:19C328041291022688D81CE7AF5EC055
SHA256:AA62A9F3E4937DD885E6DA2E7E787DFBA72333520E4C50D6C93AB4517BB59317
2268FileZilla_3.67.0_win64_sponsored2-setup.exeC:\Program Files\FileZilla FTP Client\fzputtygen.exeexecutable
MD5:7E208D8C27326712EEEED291BA350C3C
SHA256:06F3610B7582AB8C906A81C0A9AC8199CA738E89A37E05021625C4AD9F7DD95A
3084uninstall.exeC:\Users\admin\AppData\Local\Temp\nsx5667.tmp\System.dllexecutable
MD5:564BB0373067E1785CBA7E4C24AAB4BF
SHA256:7A9DDEE34562CD3703F1502B5C70E99CD5BBA15DE2B6845A3555033D7F6CB2A5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FileZilla_3.67.0_win64_sponsored2-setup.exe