File name: | fusioninventory-agent_windows-x86_2.4.3.exe |
Full analysis: | https://app.any.run/tasks/8647b1e8-1baf-4618-876a-663fd7ab4fb0 |
Verdict: | Malicious activity |
Analysis date: | May 14, 2019, 21:04:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | 7A3197375FB29177D4C002959002D2DD |
SHA1: | A0E3418C973EAE3EDA2A8246D8F5D1B060E7AA57 |
SHA256: | 731C0185164BDB8863C433398F498BA575AFDA318DB448310D4D7E79E187852B |
SSDEEP: | 196608:79OIN4fnOQ756YuZrY3lHMTAxDxqhNl7htG8S1Wz6sLP4:795cOQYYuZ81HMAD8h3lUI6QA |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
ProductVersion: | 2.4.3 |
---|---|
ProductName: | FusionInventory Agent |
LegalTrademarks: | FusionInventory Agent is distributed under GNU GPL License |
LegalCopyright: | FusionInventory Team |
InternalName: | FusionInventory-Agent |
FileVersion: | 2.4.3.23 |
FileDescription: | FusionInventory Agent for Microsoft Windows |
CompanyName: | FusionInventory Team (http://www.fusioninventory.org) |
Comments: | Setup FusionInventory Agent for Microsoft Windows |
CharacterSet: | Windows, Latin1 |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 2.4.3.23 |
FileVersionNumber: | 2.4.3.23 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | 6 |
OSVersion: | 4 |
EntryPoint: | 0x3328 |
UninitializedDataSize: | 1024 |
InitializedDataSize: | 118784 |
CodeSize: | 25088 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2018:01:30 04:57:38+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 30-Jan-2018 03:57:38 |
Detected languages: |
|
Comments: | fSetup FusionInventory Agent for Microsoft Windows |
CompanyName: | FusionInventory Team (http://www.fusioninventory.org) |
FileDescription: | fFusionInventory Agent for Microsoft Windows |
FileVersion: | 2.4.3.23 |
InternalName: | FusionInventory-Agent |
LegalCopyright: | FusionInventory Team |
LegalTrademarks: | fFusionInventory Agent is distributed under GNU GPL License |
ProductName: | FusionInventory Agent |
ProductVersion: | 2.4.3 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 30-Jan-2018 03:57:38 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00006077 | 0x00006200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.40397 |
.rdata | 0x00008000 | 0x00001248 | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.04426 |
.data | 0x0000A000 | 0x0001A838 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.22445 |
.ndata | 0x00025000 | 0x00031000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00056000 | 0x00006E60 | 0x00007000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.03692 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.28813 | 1070 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 3.90178 | 9640 | UNKNOWN | English - United States | RT_ICON |
103 | 2.17397 | 34 | UNKNOWN | English - United States | RT_GROUP_ICON |
104 | 2.67285 | 344 | UNKNOWN | English - United States | RT_DIALOG |
105 | 2.68372 | 512 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.91148 | 248 | UNKNOWN | English - United States | RT_DIALOG |
107 | 2.52183 | 160 | UNKNOWN | English - United States | RT_DIALOG |
109 | 2.70146 | 212 | UNKNOWN | English - United States | RT_DIALOG |
110 | 2.82633 | 1638 | UNKNOWN | English - United States | RT_BITMAP |
111 | 2.89887 | 238 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2784 | "C:\Users\admin\AppData\Local\Temp\fusioninventory-agent_windows-x86_2.4.3.exe" | C:\Users\admin\AppData\Local\Temp\fusioninventory-agent_windows-x86_2.4.3.exe | — | explorer.exe |
User: admin Company: FusionInventory Team (http://www.fusioninventory.org) Integrity Level: MEDIUM Description: FusionInventory Agent for Microsoft Windows Exit code: 3221226540 Version: 2.4.3.23 | ||||
3240 | "C:\Users\admin\AppData\Local\Temp\fusioninventory-agent_windows-x86_2.4.3.exe" | C:\Users\admin\AppData\Local\Temp\fusioninventory-agent_windows-x86_2.4.3.exe | explorer.exe | |
User: admin Company: FusionInventory Team (http://www.fusioninventory.org) Integrity Level: HIGH Description: FusionInventory Agent for Microsoft Windows Version: 2.4.3.23 | ||||
4064 | "C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\ns2443.tmp" netsh advfirewall firewall delete rule name="FusionInventory-Agent" | C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\ns2443.tmp | — | fusioninventory-agent_windows-x86_2.4.3.exe |
User: admin Integrity Level: HIGH Exit code: 1 | ||||
3304 | netsh advfirewall firewall delete rule name="FusionInventory-Agent" | C:\Windows\system32\netsh.exe | — | ns2443.tmp |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2436 | "C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\ns26F3.tmp" "C:\Windows\system32\cmd.exe" /c schtasks /query /fo csv | find /c "FusionInventory-Agent" | C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\ns26F3.tmp | — | fusioninventory-agent_windows-x86_2.4.3.exe |
User: admin Integrity Level: HIGH Exit code: 1 | ||||
1332 | "C:\Windows\system32\cmd.exe" /c schtasks /query /fo csv | find /c "FusionInventory-Agent" | C:\Windows\system32\cmd.exe | — | ns26F3.tmp |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1740 | schtasks /query /fo csv | C:\Windows\system32\schtasks.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3612 | find /c "FusionInventory-Agent" | C:\Windows\system32\find.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Find String (grep) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3240 | fusioninventory-agent_windows-x86_2.4.3.exe | C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\Options.ini | text | |
MD5:A592267F04307AABAE56CA0DB246F7C3 | SHA256:397D90B62E38B52FFA4CCEB4D9B4FB476A447E0A4EB8DFFE303BC3986E950A26 | |||
3240 | fusioninventory-agent_windows-x86_2.4.3.exe | C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\sed.exe | executable | |
MD5:289C007F63E4216757E3C03C38555133 | SHA256:5C2E7C4E79B2AF04F09DDEC2B01BC68DE99761A149E90A37319F515682843116 | |||
3240 | fusioninventory-agent_windows-x86_2.4.3.exe | C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\LangDLL.dll | executable | |
MD5:77FF758C10C66937DE6D86C388AA431C | SHA256:6A033E367714EC0D13FCA0589C165BDBF4D1DAC459FA7EC7415815223FA3C008 | |||
3240 | fusioninventory-agent_windows-x86_2.4.3.exe | C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\EnumINI.dll | executable | |
MD5:80403CA224C7AA80E92799B4D1EB242D | SHA256:E1852457FE4BBB8FFE90B711FD4EDA3F37B5E1BB284673AEF0F8AA57A9B0559D | |||
3240 | fusioninventory-agent_windows-x86_2.4.3.exe | C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\CommandLineParser.log | text | |
MD5:B8CC266CBC2C097BFFB4F033E09DF060 | SHA256:D02A13D11CE5B9781022DBDFC7275BF6F38C1EFC500799848CC356F9B498AB99 | |||
3240 | fusioninventory-agent_windows-x86_2.4.3.exe | C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\System.dll | executable | |
MD5:B0C77267F13B2F87C084FD86EF51CCFC | SHA256:A0CAC4CF4852895619BC7743EBEB89F9E4927CCDB9E66B1BCD92A4136D0F9C77 | |||
3240 | fusioninventory-agent_windows-x86_2.4.3.exe | C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\regex2.dll | executable | |
MD5:547C43567AB8C08EB30F6C6BACB479A3 | SHA256:3A71BF90E8BDDFB813B44F9CBCECF431311A7979C1DEBC976767B3E5E59031AF | |||
3240 | fusioninventory-agent_windows-x86_2.4.3.exe | C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\libintl3.dll | executable | |
MD5:D202BAA425176287017FFE1FB5D1B77C | SHA256:F48CE1866602B114E653C876334B771107559ACF1C685373D2305034613958F0 | |||
3240 | fusioninventory-agent_windows-x86_2.4.3.exe | C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\libiconv2.dll | executable | |
MD5:E0DC8C6BBC787B972A9A468648DBFD85 | SHA256:6DEEDAD652BFAB7B09EBD0E06045810390B6AC6CB5AA9EF41C9DAA5616181F22 | |||
3240 | fusioninventory-agent_windows-x86_2.4.3.exe | C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\registry.dll | executable | |
MD5:2B7007ED0262CA02EF69D8990815CBEB | SHA256:0B25B20F26DE5D5BD795F934C70447112B4981343FCB2DFAB3374A4018D28C2D |