Trojan.Agent.XFM
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Agent.XFM |
|---|---|
| Signature status: | Hash Mismatch |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
79b50ff7271ba2eb1c66baaa45474a21
SHA1:
89e38055e79c045895f16e98a61606806e7b20ff
SHA256:
5EAB47B3EAEC80B2023EFD2060B2D8F27C5A5319B9F5F416DB250BD09763BCD3
File Size:
402.94 KB, 402944 bytes
|
|
MD5:
5837d77152502e814781e36b0c055abb
SHA1:
1baa1df6ed404f0a4153066f854c558319bb008e
SHA256:
8998942BEDDA4E83EB65DA3FB0BD5D940B2CCE34AE8439ABB9110BF16131C0DF
File Size:
4.16 MB, 4163160 bytes
|
|
MD5:
013e6131989b0b77d5c35fcf3862c92b
SHA1:
9e0795d1aeda9888010282e8bacc1a942217a974
SHA256:
0C65E149D7C47D52C995FC4596872D8EA347810A2B74465D804312DAF062CD77
File Size:
3.47 MB, 3473496 bytes
|
|
MD5:
a0c8791f67ff56d33d524b8a826bcdd4
SHA1:
27cc09d69dff09b413680c37ef0ac5ce60942950
SHA256:
FDF1B0449D621C90E15FC7F7186F99669A7DD1AC9BFD3F9FA5688D77AEBC09B1
File Size:
167.91 KB, 167912 bytes
|
|
MD5:
e015bf4e882525e488e99d04053131bb
SHA1:
0711701146eb3a1f98b5f920d34bc508611d9068
SHA256:
FC3AEE4B8B14D8BED0535077BC0BFD24CDB88223A1AF6E83139484DD205FCF5D
File Size:
3.37 MB, 3370584 bytes
|
Show More
|
MD5:
031a377d1b9254c183fc627de9103d04
SHA1:
8207e6ab1acca6cddbde0bc44c0360463b745e79
SHA256:
B2E76CC851AD12D1A39A32AB1D61316ABD7A29FD905275457B119F295D41C73D
File Size:
3.33 MB, 3329112 bytes
|
|
MD5:
6a4e37227e31c67abeaba88d618989c2
SHA1:
6aed2889b661833be727737335a8c24cbb1fa4af
SHA256:
CF958409428ACCCC5D5C948072E1C334BD869FBC54C5CCD5DBE9B88DD710132A
File Size:
167.91 KB, 167912 bytes
|
|
MD5:
53114c118ede6cfb757f9c7c7342dc89
SHA1:
e6163f85bf261911b0bd5d2cedb602cc4b6e88f4
SHA256:
1DD70D6D49FE8157C7760A4333FE0E8AFE4B4C18766DE3AA9ECB9D0FB236DBFD
File Size:
3.95 MB, 3947520 bytes
|
|
MD5:
9f99263ae3a70ec2e05f959f26fcb53b
SHA1:
67bc8f1d0407e7c6bb40bd67c91585d6d2bb9901
SHA256:
83CBB1A59D854BB0AE1676FD4C8C433EB63239DFD817A766B1F7560D04D2EB92
File Size:
3.95 MB, 3947520 bytes
|
|
MD5:
990d125eb38376249d7e995d26bf588a
SHA1:
dbc05e8e5f562be3a14dfa52f254591e7bc3288b
SHA256:
200D82998FC8CABC7776885B7E76AA9FB5A39169AE997919764EECFB553E46F1
File Size:
167.91 KB, 167912 bytes
|
|
MD5:
ca28df3ca7bd243082d7eb3a15d29731
SHA1:
c0562681b056b99cf7fefb1dba1a457657ddd19e
SHA256:
39FDE190BF995DB26093425B1F553E653A5634100B57CAFF2918A17CE8A29E5E
File Size:
3.96 MB, 3955960 bytes
|
|
MD5:
17634c973b067b8595bd78ac2ad44432
SHA1:
fa37a9a563b5e69b94ecc37aaf97e5fafa7ed2a5
SHA256:
089077EFAF666286C2B8DCBC15A8411F992397E9A22E010FAA0CA3114F0CDE2B
File Size:
3.95 MB, 3946496 bytes
|
|
MD5:
42985a73db50268b28459e709ba59b10
SHA1:
3324a0ba5e52dd6781bc3e8893283682230e0671
SHA256:
FB1C45EA8C2CE3943E8C3AAFE215057C601182F66CC62B88853AB7D8D72C62BC
File Size:
167.91 KB, 167912 bytes
|
|
MD5:
ca52212011191040d4ad8fbc9b8a9568
SHA1:
c40402c67627a0ae2d1d2540e487a3e39d62ec45
SHA256:
048D83DF38EB4BEFB4127406871E043E5B63AA36AB62D32B846BB10070BD415B
File Size:
167.91 KB, 167912 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File doesn't have resources
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 32-bit executable
- File is 64-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Build I D | 20180626210124 |
| Company Name | Mozilla Foundation |
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright | License: MPL 2 |
| Legal Trademarks | Mozilla |
| Original Filename |
|
| Product Name | Cyberfox |
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Troy Smith | COMODO RSA Code Signing CA | Hash Mismatch |
| Whereas Attorney | Dazzle Cushion | Self Signed |
File Traits
- dll
- GetConsoleWindow
- HighEntropy
- x64
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 720 |
|---|---|
| Potentially Malicious Blocks: | 260 |
| Whitelisted Blocks: | 441 |
| Unknown Blocks: | 19 |
Visual Map
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
x
0
x
1
x
x
?
0
x
x
x
x
x
0
0
x
x
x
x
0
x
0
x
x
x
x
x
x
x
0
0
x
0
0
0
0
0
0
0
x
0
0
x
x
0
0
0
0
0
0
x
0
x
x
0
0
0
0
0
0
1
0
x
?
0
x
0
?
x
?
x
x
x
x
?
x
x
x
0
1
0
?
?
x
0
0
0
x
x
x
x
0
0
x
x
x
x
x
0
?
?
0
0
x
x
0
0
x
x
0
x
x
x
x
x
x
x
x
0
0
0
0
x
x
x
?
?
0
?
?
?
x
?
?
?
?
x
x
0
x
x
x
x
x
x
x
0
x
x
x
0
x
?
x
x
x
x
x
1
x
x
x
1
x
x
x
x
x
0
0
x
1
0
x
x
x
x
x
0
x
x
x
x
x
0
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
0
x
0
0
0
0
0
x
x
0
x
x
x
0
0
x
x
x
x
0
x
0
0
0
x
x
0
x
x
0
x
0
x
0
0
0
0
x
x
x
x
x
x
x
x
x
x
0
x
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
x
x
x
0
x
0
x
0
0
x
x
x
0
0
x
x
x
0
x
0
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
x
0
x
x
0
0
0
x
x
0
x
x
x
x
x
0
0
x
x
0
0
x
x
x
0
0
0
0
0
0
0
x
0
0
0
0
0
x
x
0
x
x
0
0
x
x
x
x
x
0
0
x
0
0
x
0
x
x
0
0
0
x
0
0
x
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
x
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
x
0
x
x
x
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
x
x
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
1
x
0
x
x
x
0
0
x
0
0
x
0
0
0
0
0
x
x
0
0
0
0
0
x
0
0
0
x
x
0
0
0
0
0
0
x
x
x
x
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.XFM
- Agent.Y
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| Process Shell Execute |
|
| Anti Debug |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\89e38055e79c045895f16e98a61606806e7b20ff_0000402944.,LiQMAxHB
|
