SoftwareBundler:Win32/FakeDiX

The SoftwareBundler:Win32/FakeDiX detection is used by security applications to notify users of a program installer that contains more than one program and may download other software without your consent. The SoftwareBundler:Win32/FakeDiX detection usually refers to an online installer that is not more than 5MB and may claim to install the latest version of the DirectX software. However, SoftwareBundler:Win32/FakeDiX will not download safe software and may install on your PC programs like SupTab and Orbitum. Additionally, the SoftwareBundler:Win32/FakeDiX program will place two DLL files named '_shfoldr' and 'idp' in your Temp folder to inject code into your browser. Keep in mind that SoftwareBundler:Win32/FakeDiX may connect to the Internet via insecure channels and change your default search engine to Delta-search.com and Css.infospace.com that are associated with browser hijackers. Programs detected as SoftwareBundler:Win32/FakeDiX should not be trusted and may remain on your PC in the form of a browser extension that uses tracking cookies to help advertisers develop better marketing strategies. As stated above, SoftwareBundler:Win32/FakeDiX may introduce programs on your PC that might slow down your computer, load ads and redirect you to harmful domains. The SoftwareBundler:Win32/FakeDiX may refer to a program updater listed in your startup programs module, and you should disable it. Users affected by SoftwareBundler:Win32/FakeDiX may want to consider using a reliable anti-malware application to scan their system of threats and remove all components of SoftwareBundler:Win32/FakeDiX.

Table of Contents

Toggle

Analysis Report

General information

Family Name:	Trojan.Proxy.Agent.C
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: 41e75c80873b0ca18d56ddaba4c5aadd SHA1: 1d0423d6e66a4739db22939e1c16bcdc7eaa9746 SHA256: B7D4EEF3FA0244A3618B3D60EAB9A3EBAF1F8EC5CCE9598D37E99B9D7A988CEC File Size: 4.48 MB, 4477814 bytes

MD5: 6cbc8b8bbf8312d4e6ca33445a4cc075 SHA1: 7a97eb5e0c1546db4b79322563191c355e607b81 SHA256: 2E593FAA2EFF11124D6047CC32F59B786ECBB80149497744AD27B5E24D77F56C File Size: 4.49 MB, 4486913 bytes

MD5: 40307814eb03aac77508f6345db540a9 SHA1: 8959f45a94965aa10231e14edbad12eff48f3638 SHA256: 8E9E2CBF5F320FD22800A53F6E2B5A3702DC1B401A9D4DB7F58F1171DEEAE26E File Size: 2.00 MB, 2004007 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have security information
• File has been packed
• File has exports table
• File has TLS information
• File is 32-bit executable
• File is either console or GUI application

Show More

• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is Native application (NOT .NET application)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Name	Value
Comments	This installation was built with Inno Setup.
Company Name	Jofund S.A.
File Description	Fremax Catalogue Password-Studio Pro Setup
File Version	6.0.0.78
Internal Name	catalogo.exe
Legal Copyright	2005 - Jofund S.A.
Legal Trademarks	Desenvolvido por Netzenos - www.netzenos.com.br
Product Name	Password-Studio Pro
Product Version	1.0.0.0

File Traits

• 2+ executable sections
• big overlay
• imgui
• MZ (In Overlay)
• No Version Info
• packed
• WinZip SFX
• x86
• ZIP (In Overlay)

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
\device\namedpipe\dav rpc service	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\wkssvc	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pse20\41e75c80873b0ca18d56ddaba4c5aadd\php.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\fremax.test	Generic Read,Write Data,Write Attributes,Write extended,Append data

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
User Data Access	GetUserObjectInformation OpenClipboard
Anti Debug	IsDebuggerPresent
Network Winsock2	WSAStartup