fassurun_as.exe

fassurun

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application fassurun_as.exe by fassurun has been detected as adware by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from vzbucket.appscion.com.
Publisher:
fassurun  (signed and verified)

MD5:
5d01e761656e813b65808783271b548c

SHA-1:
b9ae946dd4832636bdc190dccae8e05cde11b9a8

SHA-256:
72b3f9cbeecc26a95bb532713440db061488c0ea30bb05da9f1d20163007474b

Scanner detections:
5 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
12/24/2024 3:00:47 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/BrowseFox
7.9188

Reason Heuristics
PUP.fassurun.L
14.8.7.21

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.131220

VIPRE Antivirus
Trojan.Win32.Generic
24494

XVirus List
Win32.Detected
2.8.7

File size:
198 KB (202,736 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\fassurun_as.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
8/21/2013 3:00:00 AM

Valid to:
8/21/2015 2:59:59 AM

Subject:
CN=fassurun, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=fassurun, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6EA3A2D62F7379560AF4974E60282338

File PE Metadata
Compilation timestamp:
12/6/2009 12:50:41 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:TLk395hYXJsCV+7eniqhnIJkf25tquQ91jGW4k9anH7l1m/GqMHJGULvi:TQqDV+8iq615tB01jGxkYnH7nm/G/Hcp

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file fassurun_as.exe has been seen being distributed by the following URL.

Remove fassurun_as.exe - Powered by Reason Core Security