2024-09-11_8ae82f44add6d3e1668a90004e653086_floxif_hijackloader_mafia

Sharing

Copy URL Twitter E-mail

General

Target

2024-09-11_8ae82f44add6d3e1668a90004e653086_floxif_hijackloader_mafia
Size

3.2MB
MD5

8ae82f44add6d3e1668a90004e653086
SHA1

ff0b9d1b0e2bd3e02844700cad3d9786861dc588
SHA256

ba1bdf7c981d9d478b7b6f469c1f48164c67a83c98971072695a9629e0656169
SHA512

286f0cefaee6c737f9080de6afceddd16ee0a3c9d20218e883975d8bc12712b56e4e9bd0493641d6fafa4c24c966787d4395e94170958e84ab6422eeb808c43f
SSDEEP

49152:Nhx6IX6O7W0z9nYhT/apNEKA1S+WeQ3Yth60+RGv/bIDEDCeOFTh2katPy:NhxHX6O7hZnYhTcNEKP+U6v/bIECYkaw

Score

1^/10

Malware Config

Signatures

Files

2024-09-11_8ae82f44add6d3e1668a90004e653086_floxif_hijackloader_mafia
.exe windows:5 windows x86 arch:x86

848d793476ec7fc0c47db5a684e456c2

Code Sign

d1:9d:b1:a5:42:ff:d3:d9:9b:83:20:8f:e9:e8:0f:e3
Certificate

Issuer

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

10/12/2020, 00:00

Not After

10/12/2023, 23:59

Subject

CN=ZOHO Corporation Private Limited,O=ZOHO Corporation Private Limited,POSTALCODE=603202,STREET=Estancia IT Park\, GST Road,L=Chengalpattu,ST=Tamil Nadu,C=IN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/11/2018, 00:00

Not After

31/12/2030, 23:59

Subject

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

21/09/2022, 00:00

Not After

21/11/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

56:5d:dc:dc:8b:22:9e:b7:f7:38:84:f3:53:6c:30:fa:33:bb:b6:4c:41:07:ec:fe:c2:87:5b:48:a6:39:85:32
Signer

Actual PE Digest

56:5d:dc:dc:8b:22:9e:b7:f7:38:84:f3:53:6c:30:fa:33:bb:b6:4c:41:07:ec:fe:c2:87:5b:48:a6:39:85:32

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\Webhost\23-12-2022\WindowsBuilds\DC_NATIVE\5793306\desktopcentral\ONPREMISE\SA_SRC\native\agent\Release\dcpatchscan.pdb

Imports

advapi32

QueryServiceStatus
DeleteService
ControlService
RevertToSelf
ImpersonateLoggedOnUser
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
LsaOpenPolicy
LsaNtStatusToWinError
RegCreateKeyExA
RegSetValueExA
RegDeleteKeyA
RegDeleteValueA
RegEnumValueA
RegEnumKeyExA
RegQueryInfoKeyA
LsaClose
LsaFreeMemory
LsaQueryInformationPolicy
IsValidSid
FreeSid
LookupAccountNameW
EqualSid
LsaEnumerateAccountsWithUserRight
LookupAccountNameA
GetUserNameA
CreateWellKnownSid
CreateProcessAsUserA
GetTokenInformation
QueryServiceStatusEx
LookupAccountSidA
LsaRemoveAccountRights
LsaAddAccountRights
ConvertSidToStringSidA
ConvertStringSidToSidA
RegSetValueExW
RegOpenKeyExW
CryptDestroyKey
CreateServiceA
CryptGenKey
CryptGetUserKey
CryptAcquireContextA
CryptDestroyHash
CryptEncrypt
CryptDeriveKey
CryptHashData
CryptCreateHash
CryptDecrypt
StartServiceA
RegEnumKeyW
RegDeleteValueW
RegQueryValueExW
RegEnumKeyA
RegOpenKeyA
OpenProcessToken
LogonUserA
CreateProcessAsUserW
AbortSystemShutdownA
AdjustTokenPrivileges
LookupPrivilegeValueA
LookupPrivilegeNameA
CryptGetHashParam
InitiateSystemShutdownW
StartServiceW
OpenServiceW
OpenSCManagerW
QueryServiceConfigW
ChangeServiceConfigW
GetSidSubAuthority
GetSidSubAuthorityCount
GetSidIdentifierAuthority
ConvertSidToStringSidW
GetLengthSid
LookupAccountSidW
DeregisterEventSource
ReportEventA
RegisterEventSourceA
ReportEventW
RegisterEventSourceW
ChangeServiceConfig2A
OpenSCManagerA
OpenServiceA
CryptReleaseContext
CloseServiceHandle
RegOpenCurrentUser

ole32

OleRun
CoInitializeSecurity
CoSetProxyBlanket
StringFromGUID2
CoInitialize
CoInitializeEx
CoCreateInstance
CoUninitialize

oleaut32

VariantClear
SysAllocStringLen
CreateErrorInfo
SetErrorInfo
GetErrorInfo
VariantChangeType
SysAllocString
SafeArrayAccessData
SafeArrayGetLBound
SafeArrayGetUBound
SysAllocStringByteLen
SysStringLen
VariantInit
VarBstrCmp
SysFreeString

wsock32

ntohs

iphlpapi

GetExtendedTcpTable
GetExtendedUdpTable
SendARP
GetAdaptersInfo

crypt32

CertVerifyTimeValidity
CertDeleteCertificateFromStore
CertNameToStrA
CertFindCertificateInStore
CertFreeCertificateContext
CertNameToStrW
CertGetNameStringA
CryptMsgGetParam
CryptQueryObject
CertCloseStore
CertAddCertificateContextToStore
CertEnumCertificatesInStore
CertOpenStore
PFXVerifyPassword
PFXImportCertStore
CertCreateCertificateContext
CryptStringToBinaryA

psapi

GetModuleFileNameExA

userenv

DestroyEnvironmentBlock
LoadUserProfileA
CreateEnvironmentBlock
UnloadUserProfile

dcagenthttp

AgentSendRequestEx

version

GetFileVersionInfoA
VerQueryValueA
GetFileVersionInfoSizeA

mpr

WNetAddConnection2W
WNetCancelConnection2W
WNetCancelConnection2A

activeds

ord13
ord3
ord14
ord9

msi

ord247
ord243
ord237
ord178
ord245

wtsapi32

WTSFreeMemory
WTSEnumerateSessionsA
WTSEnumerateSessionsW
WTSQuerySessionInformationW
WTSQuerySessionInformationA

winhttp

WinHttpCloseHandle
WinHttpQueryOption
WinHttpSetOption
WinHttpReceiveResponse
WinHttpWriteData
WinHttpSendRequest
WinHttpAddRequestHeaders
WinHttpSetStatusCallback
WinHttpOpenRequest
WinHttpConnect
WinHttpSetTimeouts
WinHttpOpen
WinHttpQueryHeaders
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpSetCredentials

imagehlp

MapFileAndCheckSumA

dclibxml2

xmlTextReaderName
xmlFreeDoc
xmlDocGetRootElement
xmlParseFile
xmlTextReaderDepth
xmlTextReaderRead
xmlFree
xmlStrcmp
xmlNewTextReaderFilename
xmlParseMemory
xmlTextReaderGetAttribute
xmlTextReaderAttributeCount
xmlTextReaderValue
xmlFreeTextReader
xmlNodeListGetString
xmlCleanupParser

cryptnet

CryptGetObjectUrl

kernel32

ExitProcess
GetModuleHandleW
DuplicateHandle
GetCPInfo
RtlUnwind
HeapSize
HeapReAlloc
HeapDestroy
InitializeCriticalSectionAndSpinCount
GetLocaleInfoW
DecodePointer
EncodePointer
DeleteCriticalSection
GetStringTypeW
InterlockedCompareExchange
InterlockedIncrement
RaiseException
InterlockedExchange
MoveFileExA
GetModuleFileNameA
LocalLock
LocalUnlock
ExitThread
LCMapStringW
CompareStringW
GetTimeFormatA
GetDateFormatA
IsProcessorFeaturePresent
HeapCreate
GetDriveTypeA
TlsAlloc
FindFirstFileExA
TlsGetValue
TlsSetValue
TlsFree
GetCurrentThread
UnhandledExceptionFilter
GetACP
GetOEMCP
IsValidCodePage
GetCommandLineA
HeapSetInformation
GetFileInformationByHandle
PeekNamedPipe
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
GetLastError
FreeLibrary
GetProcAddress
GetModuleHandleA
LoadLibraryA
WideCharToMultiByte
RemoveDirectoryA
DeleteFileA
FileTimeToLocalFileTime
GetSystemTimeAsFileTime
CopyFileA
TerminateProcess
SetEvent
CloseHandle
OpenEventA
OpenProcess
Sleep
WaitForSingleObject
GetTickCount
MultiByteToWideChar
LocalFree
LocalAlloc
WriteFile
GetStdHandle
FormatMessageA
GetUserDefaultLangID
lstrlenA
lstrlenW
GetEnvironmentVariableA
FindClose
FindNextFileA
FindFirstFileA
CreateFileA
ReadFile
GetFileSize
GetSystemTime
GetFileSizeEx
GetFileType
GetSystemInfo
LoadLibraryW
Process32Next
ProcessIdToSessionId
Process32First
CreateToolhelp32Snapshot
GetCurrentProcess
SystemTimeToFileTime
InterlockedDecrement
HeapFree
SetStdHandle
OutputDebugStringA
CreatePipe
HeapAlloc
GetProcessHeap
GetSystemWindowsDirectoryA
GetSystemDirectoryA
SetCurrentDirectoryA
GetCurrentDirectoryA
GetExitCodeProcess
CreateProcessA
SetHandleInformation
Thread32Next
GetCurrentProcessId
OpenThread
GetCurrentThreadId
Thread32First
GetThreadTimes
GetSystemTimes
ResumeThread
SuspendThread
lstrcmpA
CreateThread
GetWindowsDirectoryA
GetProcessHeaps
MoveFileA
GetDiskFreeSpaceExA
HeapValidate
FileTimeToSystemTime
GetLocaleInfoA
GetVersionExA
FindFirstFileW
GetTimeZoneInformation
GetPriorityClass
SetPriorityClass
SystemTimeToTzSpecificLocalTime
GetLocalTime
QueryDosDeviceA
SetDllDirectoryA
FindNextFileW
GetEnvironmentVariableW
ReleaseMutex
CreateMutexA
SetFilePointer
SetCurrentDirectoryW
CreateProcessW
GetCurrentDirectoryW
ExpandEnvironmentStringsA
DeleteFileW
FlushFileBuffers
CreateDirectoryW
CopyFileW
QueryPerformanceCounter
QueryPerformanceFrequency
FormatMessageW
GlobalFree
GlobalAlloc
GetComputerNameExW
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
lstrcmpW
SetLastError
UnmapViewOfFile
MapViewOfFile
OpenFileMappingW
GetVersion
lstrcmpiA
GetNativeSystemInfo
DeleteTimerQueue
CreateTimerQueue
CreateTimerQueueTimer
CreateDirectoryA
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetFileAttributesExA
GetFullPathNameA
SetUnhandledExceptionFilter
IsDebuggerPresent
SetHandleCount
GetStartupInfoW
FatalAppExitA
GetModuleFileNameW
GetConsoleCP
GetConsoleMode
GetFileAttributesA
GetFileAttributesW
SetConsoleCtrlHandler
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
WriteConsoleW
SetEnvironmentVariableA
GetDriveTypeW
SetEndOfFile
SetEnvironmentVariableW
VirtualQuery
CreateFileW

user32

wsprintfA
GetLastInputInfo
wsprintfW
MessageBoxA

shell32

SHFileOperationA
SHCreateDirectoryExA
SHCreateDirectoryExW
SHGetSpecialFolderPathA

odbc32

ord18
ord11
ord9
ord41
ord31
ord1
ord2
ord8
ord16
ord12
ord19
ord3
ord49
ord48
ord72
ord26
ord4
ord20
ord39
ord43
ord13
ord29
ord36

shlwapi

PathFileExistsW
StrTrimW
StrTrimA
PathFindExtensionA
StrStrA
SHDeleteKeyA
PathFileExistsA
PathRemoveExtensionA
StrStrIW
PathIsDirectoryA
StrStrIA

gdiplus

GdipFree
GdipAlloc
GdipLoadImageFromFile
GdipLoadImageFromFileICM
GdipDisposeImage
GdipSaveImageToFile
GdipGetImageEncodersSize
GdipGetImageEncoders
GdiplusStartup
GdiplusShutdown
GdipCloneImage

ws2_32

socket
WSAStartup
inet_ntoa
gethostbyname
closesocket
getnameinfo
htons
inet_addr
WSACleanup
WSAGetLastError
bind

ntdsapi

DsFreeNameResultW
DsCrackNamesW

netapi32

NetWkstaGetInfo
NetGetJoinInformation
NetApiBufferFree
NetServerGetInfo
DsGetDcNameA
NetWkstaUserGetInfo

Sections

.text
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 679KB - Virtual size: 679KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 60KB - Virtual size: 72KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1000B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 122KB - Virtual size: 122KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

848d793476ec7fc0c47db5a684e456c2

Code Sign

d1:9d:b1:a5:42:ff:d3:d9:9b:83:20:8f:e9:e8:0f:e3Certificate

Extended Key Usages

Key Usages

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6aCertificate

Extended Key Usages

Key Usages

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5aCertificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

56:5d:dc:dc:8b:22:9e:b7:f7:38:84:f3:53:6c:30:fa:33:bb:b6:4c:41:07:ec:fe:c2:87:5b:48:a6:39:85:32Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

ole32

oleaut32

wsock32

iphlpapi

crypt32

psapi

userenv

dcagenthttp

version

mpr

activeds

msi

wtsapi32

winhttp

imagehlp

dclibxml2

cryptnet

kernel32

user32

shell32

odbc32

shlwapi

gdiplus

ws2_32

ntdsapi

netapi32

Sections

.text Size: 2.3MB - Virtual size: 2.3MB

.rdata Size: 679KB - Virtual size: 679KB

.data Size: 60KB - Virtual size: 72KB

.rsrc Size: 1024B - Virtual size: 1000B

.reloc Size: 122KB - Virtual size: 122KB

d1:9d:b1:a5:42:ff:d3:d9:9b:83:20:8f:e9:e8:0f:e3
Certificate

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

56:5d:dc:dc:8b:22:9e:b7:f7:38:84:f3:53:6c:30:fa:33:bb:b6:4c:41:07:ec:fe:c2:87:5b:48:a6:39:85:32
Signer

.text
Size: 2.3MB - Virtual size: 2.3MB

.rdata
Size: 679KB - Virtual size: 679KB

.data
Size: 60KB - Virtual size: 72KB

.rsrc
Size: 1024B - Virtual size: 1000B

.reloc
Size: 122KB - Virtual size: 122KB