Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3550
Views
4
Helpful
5
Replies

vlc.exe marked as W32.975C0D48C4.RET.SBX.TG

brentb2529
Level 1
Level 1

‎04-13-2023 08:09 AM - edited ‎04-13-2023 08:10 AM

False positive?  Just got a bunch of these off multiple MXs.

 

MD5 : 346cac4d1166ef87ab7617fc977f7dd4
SHA-1 d4bf1fc804bef6293d867c5f250191860044639c
SHA-256 975c0d48c41d2ad76a242d5f7270f4bf8063bb9c753b375ab2c47c9e2060f562
Vhash 3872fcc78e34962257f24cc7728ffae1
SSDEEP 12288:ytHbQKCiPwXtnn9X25lauYsoRy5T9LlHbAlZ2A1w/ccW9ZbGwHbK+L65E7heqTxm:GhPwXtn9X25lvoUna2/clhK+L3EqRzi
TLSH T1F41512D014A648EBC530523EDC105E32B8A214885FB157F473F2B56EDADADB8E056FCA
File type ZIP
Magic data
TrID MSIX Windows app package (84.1%)   ZIP compressed archive (12.6%)   PrintFox/Pagefox bitmap (640x800) (3.1%)
File size 885.40 KB (906653 bytes)
 

Processes Tree: 4008 - VLC

 

Endpoint: 

1d.tlu.dl.delivery.mp.microsoft.com

SHA256 : 975c0d48c41d2ad76a242d5f7270f4bf8063bb9c753b375ab2c47c9e2060f562
Disposition : Malicious
 
Type : ZIP
 
Size : 906653 bytes
 
Thanks.
26 people had this problem
5 Replies 5

Ken Stieers
VIP
VIP

‎04-13-2023 08:13 AM

yep, FP, they just cleared that one.  

 

Jeff Cooper
Level 1
Level 1
In response to Ken Stieers

‎04-13-2023 11:55 AM

So what is it?  I got 5000 emails from a customer across their entire network.  We had to shutdown FMC altogether.  What's going on?

0 Helpful

Ken Stieers
VIP
VIP
In response to Jeff Cooper

‎04-13-2023 12:24 PM

IIRC that's VLC

Root cause for "what is going on" isn't done yet... I'll post it in the community if it gets sent to me. 

 

0 Helpful

pmedinac
Cisco Employee
Cisco Employee

‎04-13-2023 12:12 PM

I'm wondering which SHA-256 are you getting alerted?

Also if this matches the initial one, I would suggest you open a TAC case with FMC, since this SHA-256 is already marked as clean, and probably is not being populated to your device, correctly.

SHA-256: 975c0d48c41d2ad76a242d5f7270f4bf8063bb9c753b375ab2c47c9e2060f562

--

Pedro M.

0 Helpful

Damon Kalajzich
Level 1
Level 1

‎04-13-2023 04:07 PM

This appears to have killed my FMC, I have awoken to the /Volume being 100% full and FMC not functioning.

0 Helpful
Customers Also Viewed These Support Documents