analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

TOOL%20ALL%20IN%20ONE%20v1.0.9.4.zip

Full analysis: https://app.any.run/tasks/6fe322be-296a-4e89-a1b4-af29a64998c7
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 13, 2020, 07:09:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
floxif
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

3FBC2A72BD89929C27E3BFA8BB070FAB

SHA1:

CBB6E766E1AAB11C7DA12A03678724A096A6FF47

SHA256:

F2F4FA18368443C4EC441C1C4F27A0C2CCCD0443BAEA3031DCC247B04D7479C5

SSDEEP:

393216:OBBQmTrVZnr07j7Wek0SNMHimYPCYnbPQOqjrATSdGjamKOXESrmvL4dy+66:uBoH7ONMXYP4IOdDOXE9ky+j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 1632)
      • adb.exe (PID: 4052)
      • fastboot.exe (PID: 2664)
      • adb.exe (PID: 2780)
      • adb.exe (PID: 2828)
      • adb.exe (PID: 2408)
      • adb.exe (PID: 2208)
      • fastboot.exe (PID: 3532)
      • fastboot.exe (PID: 2616)
      • adb.exe (PID: 3280)
      • adb.exe (PID: 4016)
      • adb.exe (PID: 3800)
      • adb.exe (PID: 1876)
      • adb.exe (PID: 2472)

    • Application was dropped or rewritten from another process

      • adb.exe (PID: 2780)
      • TOOL_ALL_IN_ONE.exe (PID: 1600)
      • fastboot.exe (PID: 2664)
      • adb.exe (PID: 4052)
      • adb.exe (PID: 2828)
      • adb.exe (PID: 2408)
      • Updater_TOOL_ALL_IN_ONE.exe (PID: 2284)
      • TOOL_ALL_IN_ONE.exe (PID: 3352)
      • fastboot.exe (PID: 3532)
      • adb.exe (PID: 2208)
      • fastboot.exe (PID: 2616)
      • adb.exe (PID: 3280)
      • adb.exe (PID: 4016)
      • adb.exe (PID: 3800)
      • adb.exe (PID: 1876)
      • adb.exe (PID: 2472)

    • FLOXIF was detected

      • adb.exe (PID: 4052)
      • adb.exe (PID: 2780)

    • Connects to CnC server

      • adb.exe (PID: 4052)
      • adb.exe (PID: 2780)

    • Changes AppInit_DLLs value (autorun option)

      • adb.exe (PID: 2780)

    • Changes the autorun value in the registry

      • adb.exe (PID: 2780)

    • Downloads executable files from the Internet

      • Updater_TOOL_ALL_IN_ONE.exe (PID: 2284)
      • TOOL_ALL_IN_ONE.exe (PID: 1600)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • TOOL_ALL_IN_ONE.exe (PID: 1600)
      • TOOL_ALL_IN_ONE.exe (PID: 3352)

    • Reads Internet Cache Settings

      • adb.exe (PID: 2780)
      • adb.exe (PID: 4052)

    • Application launched itself

      • adb.exe (PID: 4052)
      • adb.exe (PID: 1876)

    • Executable content was dropped or overwritten

      • fastboot.exe (PID: 2664)
      • WinRAR.exe (PID: 3656)
      • Updater_TOOL_ALL_IN_ONE.exe (PID: 2284)
      • TOOL_ALL_IN_ONE.exe (PID: 1600)
      • TOOL_ALL_IN_ONE.exe (PID: 3352)

  • INFO

    • Manual execution by user

      • TOOL_ALL_IN_ONE.exe (PID: 1600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: TWRP_recovery/
ZipUncompressedSize: -
ZipCompressedSize: 2
ZipCRC: 0x00000000
ZipModifyDate: 2020:07:13 14:58:01
ZipCompression: Deflated
ZipBitFlag: 0x0808
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
71
Monitored processes
26
Malicious processes
16
Suspicious processes
6

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe searchprotocolhost.exe no specs tool_all_in_one.exe cmd.exe no specs fastboot.exe cmd.exe no specs #FLOXIF adb.exe #FLOXIF adb.exe adb.exe updater_tool_all_in_one.exe tool_all_in_one.exe cmd.exe no specs fastboot.exe no specs cmd.exe no specs adb.exe adb.exe cmd.exe no specs fastboot.exe no specs cmd.exe no specs adb.exe adb.exe cmd.exe no specs adb.exe cmd.exe no specs adb.exe adb.exe

Process information

PID
CMD
Path
Indicators
Parent process
3656"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\e2c0d8de-d072-4846-a34f-0f5c1a836dad.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1632"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
1600"C:\Users\admin\Desktop\TOOL_ALL_IN_ONE.exe" C:\Users\admin\Desktop\TOOL_ALL_IN_ONE.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TOOL_ALL_IN_ONE
Exit code:
0
Version:
1.1.0.3
2052cmd.exe /cfastboot devices > fastdet & echo 1 >> fastdet C:\Windows\system32\cmd.exeTOOL_ALL_IN_ONE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2664fastboot devices C:\Users\admin\Desktop\fastboot.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3308cmd.exe /cadb start-server & adb devices > adbdetC:\Windows\system32\cmd.exeTOOL_ALL_IN_ONE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4052adb start-server C:\Users\admin\Desktop\adb.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2780adb -L tcp:5037 fork-server server --reply-fd 384C:\Users\admin\Desktop\adb.exe
adb.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2828adb devices C:\Users\admin\Desktop\adb.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2284"C:\Users\admin\Desktop\Updater_TOOL_ALL_IN_ONE.exe" C:\Users\admin\Desktop\Updater_TOOL_ALL_IN_ONE.exe
TOOL_ALL_IN_ONE.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Updater_TOOL_ALL_IN_ONE
Exit code:
0
Version:
1.0.0.0
Total events
1 191
Read events
1 104
Write events
0
Delete events
0

Modification events

No data
Executable files
35
Suspicious files
3
Text files
15
Unknown types
2

Dropped files

PID
Process
Filename
Type
3656WinRAR.exeC:\Users\admin\Desktop\screenfoldercheck
MD5:
SHA256:
3656WinRAR.exeC:\Users\admin\Desktop\Updater_TOOL_ALL_IN_ONE.exeexecutable
MD5:05319135D8C88F1B66A1793CD9E1E00A
SHA256:10FF4F560FACF87207DB11586D3EABC17A4C89B74AF827FB81CF48E41F97A394
3656WinRAR.exeC:\Users\admin\Desktop\sqlite3.exeexecutable
MD5:55B2C31EDAD7E263AF3CA33761AE8F2D
SHA256:654C46B2772880745FA026E10B3462629C36533D2515657A4B002A0F0DED74B1
3656WinRAR.exeC:\Users\admin\Desktop\source.propertiestext
MD5:4D1336DAF90D66582AE7528116AA1765
SHA256:CBE89FF81373DBCE9466B50C2E73B960BC7DC2E882A7EE8E3A4BD9A11D512B83
3656WinRAR.exeC:\Users\admin\Desktop\TOOL_ALL_IN_ONE.exeexecutable
MD5:FE50CCCB71DBFE49A7A0824565DAC129
SHA256:EA874171591C7D7160815F1C8F49C82F922B08E8D9ADA8A1F63AD27660ADED85
3656WinRAR.exeC:\Users\admin\Desktop\Drivers\Drivers.zipcompressed
MD5:907B9F2F63F5C597772BF6C9A7DA0DA2
SHA256:24538BEA3CD2DF7619F9B3F5B7257C67E42EDB073D097F25507A7A01BAA23A01
3656WinRAR.exeC:\Users\admin\Desktop\mke2fs.exeexecutable
MD5:DF5C847BA64AD6E1C2EC99283D249451
SHA256:3098DA0D455955F4E34D58FE60E53EB46080FA7FA5C7790669B5ECC0D823CD7F
3656WinRAR.exeC:\Users\admin\Desktop\Drivers\amd64\WdfCoInstaller01009.dllexecutable
MD5:4DA5DA193E0E4F86F6F8FD43EF25329A
SHA256:18487B4FF94EDCCC98ED59D9FCA662D4A1331C5F1E14DF8DB3093256DD9F1C3E
3656WinRAR.exeC:\Users\admin\Desktop\Drivers\DPInst_x86.exeexecutable
MD5:9568538CEF3A955A88811250C7B9F053
SHA256:CB7F00F91AE5F7D88277AC2EE5CFB5D3A9F8E9E629C3DE317ABF226A8B6B76B6
3656WinRAR.exeC:\Users\admin\Desktop\Drivers\androidwinusb86.catcat
MD5:76CFE751E17119F352C29F9FCE83D24F
SHA256:15A39B14E5FA4EC4BBE16632DBB19C7E0159649702BF98F9F77B2ABD7EBCC4DE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
13
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1600
TOOL_ALL_IN_ONE.exe
GET
200
138.201.61.244:80
http://toolone.altervista.org/TOOLALLINONE2/Updater_TOOL_ALL_IN_ONE.exe
DE
executable
1.08 Mb
suspicious
2284
Updater_TOOL_ALL_IN_ONE.exe
GET
200
138.201.61.244:80
http://toolone.altervista.org/TOOLALLINONE/TOOL_ALL_IN_ONE.exe
DE
executable
3.45 Mb
suspicious
3352
TOOL_ALL_IN_ONE.exe
GET
200
138.201.61.244:80
http://toolone.altervista.org/AFFiles/AFVersion.txt
DE
text
6 b
suspicious
3352
TOOL_ALL_IN_ONE.exe
GET
200
138.201.61.244:80
http://toolone.altervista.org/AFFiles/AFFiles.zip
DE
compressed
3.00 Mb
suspicious
1600
TOOL_ALL_IN_ONE.exe
GET
200
138.201.61.244:80
http://toolone.altervista.org/AFFiles/AFVersion.txt
DE
text
6 b
suspicious
4052
adb.exe
GET
403
104.200.22.130:80
http://www.aieov.com/logo.gif
US
html
175 b
malicious
2780
adb.exe
GET
403
104.200.22.130:80
http://www.aieov.com/logo.gif
US
html
175 b
malicious
2780
adb.exe
GET
403
104.200.22.130:80
http://www.aieov.com/logo.gif
US
html
175 b
malicious
2780
adb.exe
GET
403
104.200.22.130:80
http://www.aieov.com/logo.gif
US
html
175 b
malicious
2780
adb.exe
GET
403
104.200.22.130:80
http://www.aieov.com/logo.gif
US
html
175 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3352
TOOL_ALL_IN_ONE.exe
138.201.61.244:80
toolone.altervista.org
Hetzner Online GmbH
DE
suspicious
2780
adb.exe
104.200.22.130:80
www.aieov.com
Linode, LLC
US
malicious
104.200.22.130:80
www.aieov.com
Linode, LLC
US
malicious
1600
TOOL_ALL_IN_ONE.exe
138.201.61.244:80
toolone.altervista.org
Hetzner Online GmbH
DE
suspicious
2284
Updater_TOOL_ALL_IN_ONE.exe
138.201.61.244:80
toolone.altervista.org
Hetzner Online GmbH
DE
suspicious

DNS requests

Domain
IP
Reputation
www.google.it
  • 216.58.205.227
whitelisted
toolone.altervista.org
  • 138.201.61.244
suspicious
5isohu.com
whitelisted
www.aieov.com
  • 104.200.22.130
  • 104.200.23.95
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
4052
adb.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32.Floxif.A
2780
adb.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32.Floxif.A
2780
adb.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32.Floxif.A
2780
adb.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32.Floxif.A
2780
adb.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32.Floxif.A
1600
TOOL_ALL_IN_ONE.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1600
TOOL_ALL_IN_ONE.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2284
Updater_TOOL_ALL_IN_ONE.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2284
Updater_TOOL_ALL_IN_ONE.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2780
adb.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32.Floxif.A
8 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
TOOL%20ALL%20IN%20ONE%20v1.0.9.4.zip