Trojan.Farfli.FP
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Farfli.FP |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
c997486974eeb266a3ab66f1d1d53f29
SHA1:
13815a78218c2403e3063eabca94ef56046b9cf5
SHA256:
FA419E4C3E1E13FACCA4F5ABE1499400C962A9CB667A218D8DAA4FA0614CEE61
File Size:
2.00 MB, 2002944 bytes
|
|
MD5:
2672ae0a91f2a2365269094d835d0ea8
SHA1:
3ca4bf1e4831d9656ca6c051c8be8864699d4625
SHA256:
627EB85BEA403E967AD280CFC68916B80B450C2B004B7C9E0EA13232B5360498
File Size:
2.76 MB, 2764860 bytes
|
|
MD5:
ca651ab5316fdb9d158fcff96b8388d9
SHA1:
8c04d05e303184b10f4c26ea61b9a20046abc885
SHA256:
77F8EF2E80553962AC8066B35C8CE895791BE8BABFD5119A3A7EFDE002BF0357
File Size:
45.06 KB, 45056 bytes
|
|
MD5:
3f860d177522945848b03e06c9a4a701
SHA1:
5ca099b1aeac2082346ad7ebcc3bd8f72ccf84a5
SHA256:
5567C3BED9EDF2927EAFFF84F4A88FC9C663E6C18C5121F9B8B988CB344DDB08
File Size:
2.04 MB, 2039808 bytes
|
|
MD5:
30058b79cd933ae85f81c051573d8206
SHA1:
99f34709fac2f949f97626656c80a00690c9de69
SHA256:
E944817D438EC152C82AB9D17B43BB2EC8B02EE1DBBE713D79ACC9A9E729EC4B
File Size:
1.19 MB, 1191936 bytes
|
Show More
|
MD5:
829474dbd67a7160ae392b171f9252a3
SHA1:
56d0414ccd37d3f133f2720a99c759047aee8035
SHA256:
7ECD511EB33B1B7FA8512B0C676F454562F17B2FFB2072E78D9C6607AAE81811
File Size:
2.06 MB, 2060288 bytes
|
|
MD5:
cbba5df81a8c8b50b000a1aec58222b6
SHA1:
59a5247fec86b1fea799228a29bae60aec4f4e7d
SHA256:
2A81749E3FA96BBB6434A1EDB6509DFFC9C95A7DC7B80CB6B511686A9F5D82C3
File Size:
438.27 KB, 438272 bytes
|
|
MD5:
8d84d9a404e3f4e6438a6fa56f07f6b4
SHA1:
18de5c0c3d52cd643f13b2927e5615bed31b25e8
SHA256:
302243BF9BF8BC9DAC3556B2932979BA2431D12741A34FBF68CA96CAD9966E58
File Size:
2.11 MB, 2113536 bytes
|
|
MD5:
5df8f122bafa344ab681d40a7c901206
SHA1:
ee97f34e4f61747e8941d6fe056adf1821160bc1
SHA256:
96485133E150D9617A2632D8C6DFBE54E179011394124100936A1769E86EF4A9
File Size:
450.56 KB, 450560 bytes
|
|
MD5:
79388626525f487cec5c4a128f7fd183
SHA1:
156e8283abe1519e5ec2fc687b5500a702a9cd6c
SHA256:
26560A32C80CC0043BC306D56A0FE7299202F24646AA59A776289B923ABAF1D6
File Size:
331.78 KB, 331776 bytes
|
|
MD5:
9bf903c93108822f4192d677d3e92f1c
SHA1:
81fe7107d480ed4ba3ad4429b9a68499457569be
SHA256:
3669551B0A5B32C73956B447EE3B6A5102F13CBBBC3B8C7DAEAFCFC90C6CE817
File Size:
172.03 KB, 172032 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have resources
- File doesn't have security information
- File has exports table
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name | Actions Semiconductor Co., LTD |
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Private Build | 5.43.03 |
| Product Name |
|
| Product Version |
|
| Special Build | 5.43.03 |
File Traits
- dll
- HighEntropy
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 230 |
|---|---|
| Potentially Malicious Blocks: | 9 |
| Whitelisted Blocks: | 60 |
| Unknown Blocks: | 161 |
Visual Map
x
x
x
x
x
?
?
?
0
0
x
x
0
0
?
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
?
?
?
?
0
0
0
0
?
?
0
?
?
?
?
?
?
?
?
?
?
0
?
?
?
0
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
0
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
0
0
1
0
0
0
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
0
?
?
?
0
?
?
0
x
x
0
0
?
?
?
?
?
?
?
?
?
0
?
?
0
?
?
0
0
?
?
?
?
1
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| Process Shell Execute |
|
| Anti Debug |
|
| Process Manipulation Evasion |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\13815a78218c2403e3063eabca94ef56046b9cf5_0002002944.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\3ca4bf1e4831d9656ca6c051c8be8864699d4625_0002764860.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\8c04d05e303184b10f4c26ea61b9a20046abc885_0000045056.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\5ca099b1aeac2082346ad7ebcc3bd8f72ccf84a5_0002039808.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\99f34709fac2f949f97626656c80a00690c9de69_0001191936.,LiQMAxHB
|
Show More
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\56d0414ccd37d3f133f2720a99c759047aee8035_0002060288.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\59a5247fec86b1fea799228a29bae60aec4f4e7d_0000438272.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\18de5c0c3d52cd643f13b2927e5615bed31b25e8_0002113536.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\ee97f34e4f61747e8941d6fe056adf1821160bc1_0000450560.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\156e8283abe1519e5ec2fc687b5500a702a9cd6c_0000331776.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\81fe7107d480ed4ba3ad4429b9a68499457569be_0000172032.,LiQMAxHB
|
