Report #12834 check_circle

  • Creation Date: Aug. 12, 2021, 1:18 a.m.
  • Last Update: Aug. 12, 2021, 1:33 a.m.
  • File: FacebookGameroom.exe
  • Results:
Binary
DLL
False cancel
Size
243.60KB
trid
61.7% Win64 Executable
14.7% Win32 Dynamic Link Library
10.0% Win32 Executable
4.5% OS/2 Executable
4.4% Generic Win/DOS Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
969e828efc48d4614eee9c5542719207
sha1
3ade28be2c90300f9288940398bf61bc378ce5ef
crc32
0x25cf2022
sha224
4eb2d5cec8dfe71bffd9d7569a2b0d5f9a2c9210cfe9b645ad3a85c3
sha256
8b870882454b215081fcb317f0af164100ada05bcba4ec097aa6646a51e35ed6
sha384
f384feb83bcc1ed6eb8554b98f706cf4d3c8b4a826aa3e02d6b9da0626fb161d0a3c463c3bea41a208270f2960cedcb3
sha512
71f064510c2d44b7f0df120710debbd14905534b9573564f22dacf5c77f654c2e53fee8c0647cd1f9aa94e05ea5e9d43b21594eee7cfc10810e1f0a95822a00d
ssdeep
3072:U5EjPhP6am95j95j95x95SiynKwgyDB/3auFeI5kRh2MwaB1YOcQjOrHQM2y:j4aMynyyN/3lN5kRh/w0COn6k6
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, HasDigitalSignature, url, IP, contentis_base64, android_meterpreter, IsNET_EXE, HasDebugData, HasOverlay, IsPE32, IsWindowsGUI

Suspicious
True check_circle

Imports
mscoree.dll
_CorExeMain
Strings
List
7http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
https://www.facebook.com/arcade/download/fenix
https://www.facebook.com/arcade/download/fenix
4http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
4http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
https://www.facebook.com/games/desktopapp/download_latest_installer
https://www.facebook.com/games/desktopapp/download_latest_installer
Bhttp://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
/http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
/http://crl3.digicert.com/sha2-assured-cs-g1.crl05
https://www.facebook.com/gamesdesktoplogging.php
https://www.facebook.com/gamesdesktoplogging.php
https://www.digicert.com/CPS0
https://www.digicert.com/CPS0
C:\cygwin\home\kevinthai\GamesDesktop\windows\fb_games\app\FacebookGamesSetup\obj\Release\FacebookGamesSetup.pdb
<payload><fbt><text0><text>Connecting...</text><translated>Connecting...</translated></text0><text1><text>Downloading...</text><translated>Downloading...</translated></text1><text2><text>Installing...</text><translated>Installing...</translated></text2><text3><text>We're almost there. Are you sure you want to exit the setup?</text><translated>We're almost there. Are you sure you want to exit the setup?</translated></text3><text4><text>Sorry, we failed to connect to the server, please check your internet connection and try again later.</text><translated>Sorry, we failed to connect to the server. Please check your Internet connection and try again later.</translated></text4><text5><text>Connection failed</text><translated>Connection failed</translated></text5><text6><text>Installation failed</text><translated>Installation failed</translated></text6><text7><text>We couldn't download and install Facebook Games at this time. Please try again later.</text><translated>We couldn't download and install Facebook Games at this time. Please try again later.</translated></text7><text8><text>We are unable to verify the validity of the downloaded file.</text><translated>We are unable to verify the validity of the downloaded file.</translated></text8><text9><text>Focus on gameplay</text><translated>Focus on gameplay</translated></text9><text10><text>Better performance</text><translated>Better performance</translated></text10><text11><text>Share game progress with Facebook.com</text><translated>Share game progress with Facebook.com</translated></text11><text12><text>Access new games</text><translated>Access new games</translated></text12></fbt></payload>
System.IO
System.Net
FacebookGamesSetup.Properties
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
.http://crl.thawte.com/ThawteTimestampingCA.crl0
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
Share game progress with Facebook.com
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Cryptography.X509Certificates
1.0.0.1
1.0.0.1
1.0.0.1
1.0.0.1
FacebookGamesSetup.Properties.Resources
FacebookGamesSetup.Properties.Resources.resources
System.Security.Permissions
http://ocsp.digicert.com0C
http://ocsp.digicert.com0N
FacebookGamesSetup.exe
FacebookGamesSetup.exe
FacebookGamesSetup.exe
wintrust.dll
BG_AUTH_TARGET_PROXY
fenix.dll
fenix.dll
msi.dll
download_failed
download_failed
14.0.0.0
BG_AUTH_TARGET_SERVER
http://ts-ocsp.ws.symantec.com07
Installation failed
4.0.0.0
set_ProxyBypassList
get_Completed
add_DownloadFileCompleted
add_DownloadStringCompleted
TrySetApartmentState
BG_BASIC_CREDENTIALS
BG_JOB_PROXY_USAGE_NO_PROXY
pReserved3
remove_DownloadFileCompleted
add_OnInterfaceError
JobErrorOccured
remove_DownloadStringCompleted
3System.Resources.Tools.StronglyTypedResourceBuilder
get_IsHandleCreated
We're almost there. Are you sure you want to exit the setup?
BG_JOB_PROXY_USAGE
OnWCDownloadCompleted
SuccessRebootInitiated
Delete
Reduced
TakeOwnership
SetDelegate
GetDelegate
FileNotSigned
TOKEN_COMMA
terminated
dwReserved
MulticastDelegate
builder
terminated
translated
BG_JOB_TYPE_UPLOAD
System.Windows.Forms
InstallRemoteProhibited
BG_JOB_TYPE_UPLOAD_REPLY
Acknowledged
0123456789+-.eE
TOKEN_FALSE
BG_JOB_TYPE_DOWNLOAD
IMAGE_FILE_MACHINE_MIPSFPU
IMAGE_FILE_MACHINE_THUMB
BG_ERROR_CONTEXT_GENERAL_QUEUE_MANAGER
TOKEN_SQUARED_OPEN
DigiCert Assured ID Root CA0
IMAGE_FILE_MACHINE_ARM
IMAGE_FILE_MACHINE_EBC
remove_OnInterfaceError
TOKEN_CURLY_OPEN
TOKEN_CURLY_CLOSE
TOKEN_NULL

Foremost
Matches
196.jpg, 63 KB, 0.exe, 236 KB, 186.png, 1 KB, 190.png, 2 KB, 386.png, 1 KB, 389.png, 629 B, 390.png, 1 KB, 394.png, 2 KB, 399.png, 1 KB, 402.png, 330 B
Suspicious
True check_circle
Heuristics
IPs
hasIPs: True check_circle
Allowed: 1.0.0.1, 1, one.one.one.one.
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

URLs
Allowed
hasURLs: True check_circle
Suspicious: http://crl4.digicert.com/sha2-assured-cs-g1.crl0l, http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(, https://www.digicert.com/cps0, https://www.facebook.com/gamesdesktoplogging.php, http://crl.thawte.com/thawtetimestampingca.crl0, http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<, http://ocsp.digicert.com0n, http://crl3.digicert.com/sha2-assured-cs-g1.crl05, http://crl3.digicert.com/digicertassuredidrootca.crl0o, http://crl4.digicert.com/digicertassuredidrootca.crl0:, http://ocsp.thawte.com0, https://www.facebook.com/arcade/download/fenix, http://cacerts.digicert.com/digicertassuredidrootca.crt0, https://www.facebook.com/games/desktopapp/download_latest_installer, http://cacerts.digicert.com/digicertsha2assuredidcodesigningca.crt0, http://ocsp.digicert.com0c, http://ts-ocsp.ws.symantec.com07
hasAllowed: False cancel
hasSuspicious: True check_circle

Files
Allowed: https://www.facebook.com/gamesdesktoplogging.php, qmgr.dll, fenix.dll, pepflashplayer*.dll, user32.dll, wintrust.dll, mscoree.dll, ole32.dll, msi.dll, advapi32.dll
hasFiles: True check_circle
Suspicious: System.Xml, FacebookGamesArcade.msi, local{0}.log
hasAllowed: True check_circle
hasSuspicious: True check_circle

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 34816
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 512
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 292271
Suspicous: False cancel

Sections
Allowed: .text, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 4
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 4
Linker
Version: 48.0
Suspicious: False cancel
Subsystem
Version: 4.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 214290
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: qmgr.dll, user32.dll, wintrust.dll, mscoree.dll, ole32.dll, msi.dll, advapi32.dll
hasLibs: True check_circle
Suspicious: fenix.dll, pepflashplayer*.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2016-10-13 02:48:48
Future: False cancel

Compilation
Packed: False cancel
Missing: True check_circle
Packers
Compiled: False cancel
Compilers

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.rsrc: 34
.text: 86

pushpopmath
.text: 29

ss register
.text: 1

garbagebytes
.rsrc: 1
.text: 24

hookdetection
.text: 3

programcontrolflowchange
.rsrc: 1
.text: 24

cpuinstructionsresultscomparison
.text: 9

AVclass
None
1
VirusTotal
md5
969e828efc48d4614eee9c5542719207
sha1
3ade28be2c90300f9288940398bf61bc378ce5ef
SCANS (DETECTION RATE = 0.00%)
CMC
update: 20210506
version: 2.10.2019.1
detected: False cancel

MAX
update: 20210517
version: 2019.9.16.1
detected: False cancel

APEX
update: 20210517
version: 6.165
detected: False cancel

Bkav
update: 20210517
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20210517
version: 11.183.37202
detected: False cancel

ALYac
update: 20210517
version: 1.1.3.1
detected: False cancel

Avast
update: 20210517
version: 21.1.5827.0
detected: False cancel

Avira
update: 20210517
version: 8.3.3.12
detected: False cancel

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cynet
update: 20210517
version: 4.0.0.27
detected: False cancel

Cyren
update: 20210517
version: 6.3.0.2
detected: False cancel

DrWeb
update: 20210517
version: 7.0.49.9080
detected: False cancel

GData
update: 20210517
version: A:25.29682B:27.23041
detected: False cancel

Panda
update: 20210517
version: 4.6.4.2
detected: False cancel

VBA32
update: 20210517
version: 5.0.0
detected: False cancel

VIPRE
update: 20210517
version: 92624
detected: False cancel

Zoner
update: 20210516
version: 0.0.0.0
detected: False cancel

ClamAV
update: 20210517
version: 0.103.2.0
detected: False cancel

Comodo
update: 20210517
version: 33537
detected: False cancel

Ikarus
update: 20210517
version: 0.1.5.2
detected: False cancel

Lionic
update: 20210517
version: 4.2
detected: False cancel

McAfee
update: 20210504
version: 6.0.6.653
detected: False cancel

Rising
update: 20210517
version: 25.0.0.26
detected: False cancel

Sophos
update: 20210518
version: 1.0.2.0
detected: False cancel

Yandex
update: 20210514
version: 5.5.2.24
detected: False cancel

Zillya
update: 20210517
version: 2.0.0.4365
detected: False cancel

Acronis
update: 20210512
version: 1.1.1.82
detected: False cancel

Alibaba
update: 20190527
version: 0.3.0.5
detected: False cancel

Arcabit
update: 20210517
version: 1.0.0.886
detected: False cancel

Cylance
update: 20210517
version: 2.3.1.101
detected: False cancel

Elastic
update: 20210420
version: 4.0.21
detected: False cancel

FireEye
update: 20210517
version: 32.44.1.0
detected: False cancel

Sangfor
update: 20210416
version: 2.9.0.0
detected: False cancel

TACHYON
update: 20210517
version: 2021-05-17.02
detected: False cancel

Tencent
update: 20210517
version: 1.0.0.1
detected: False cancel

ViRobot
update: 20210517
version: 2014.3.20.0
detected: False cancel

Webroot
update: 20210517
version: 1.0.0.403
detected: False cancel

eGambit
update: 20210517
detected: False cancel

Ad-Aware
update: 20210517
version: 3.0.21.179
detected: False cancel

Emsisoft
update: 20210517
version: 2018.12.0.1641
detected: False cancel

F-Secure
update: 20210331
version: 12.0.86.52
detected: False cancel

Fortinet
update: 20210517
version: 6.2.142.0
detected: False cancel

Jiangmin
update: 20210516
version: 16.0.100
detected: False cancel

Kingsoft
update: 20210517
version: 2017.9.26.565
detected: False cancel

Paloalto
update: 20210517
version: 1.0
detected: False cancel

Symantec
update: 20210517
version: 1.14.0.0
detected: False cancel

AhnLab-V3
update: 20210517
version: 3.20.1.10133
detected: False cancel

Kaspersky
update: 20210517
version: 21.0.1.45
detected: False cancel

MaxSecure
update: 20210514
version: 1.0.0.1
detected: False cancel

Microsoft
update: 20210517
version: 1.1.18100.6
detected: False cancel

Qihoo-360
update: 20210517
version: 1.0.0.1120
detected: False cancel

ZoneAlarm
update: 20210517
version: 1.0
detected: False cancel

Cybereason
update: 20210330
version: 1.2.449
detected: False cancel

ESET-NOD32
update: 20210517
version: 23310
detected: False cancel

Gridinsoft
update: 20210517
version: 1.0.40.132
detected: False cancel

TrendMicro
update: 20210517
version: 11.0.0.1006
detected: False cancel

BitDefender
update: 20210517
version: 7.2
detected: False cancel

CrowdStrike
update: 20210203
version: 1.0
detected: False cancel

K7AntiVirus
update: 20210517
version: 11.183.37204
detected: False cancel

SentinelOne
update: 20210215
version: 5.0.0.20
detected: False cancel

Malwarebytes
update: 20210517
version: 4.2.2.27
detected: False cancel

CAT-QuickHeal
update: 20210517
version: 14.00
detected: False cancel

NANO-Antivirus
update: 20210517
version: 1.0.146.25311
detected: False cancel

BitDefenderTheta
update: 20210513
version: 7.2.37796.0
detected: False cancel

MicroWorld-eScan
update: 20210517
version: 14.0.409.0
detected: False cancel

SUPERAntiSpyware
update: 20210515
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
update: 20210517
version: v2019.1.2+3728
detected: False cancel

TrendMicro-HouseCall
update: 20210517
version: 10.0.0.1040
detected: False cancel

total
68
sha256
8b870882454b215081fcb317f0af164100ada05bcba4ec097aa6646a51e35ed6
scan_id
8b870882454b215081fcb317f0af164100ada05bcba4ec097aa6646a51e35ed6-1621280887
resource
969e828efc48d4614eee9c5542719207
positives
0
scan_date
2021-05-17 19:48:07
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace

Process
Trace

Analysis
Reason
Blue Screen

Status
Execution Failed

Results
0

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 75.00%
suspicious: False cancel

NFS 3.0 (Threshold = 0.75)
confidence: 55.33%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 86.37%
suspicious: False cancel

Random Forest (100 estimators, NFS-BRMalware)
confidence: 72.00%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 52.36%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 100.00%
suspicious: False cancel

Add to Collection
Download