home

framefox.exe

FrameFox Extensions

Duuqu Group OU

The application framefox.exe by Duuqu Group OU has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘FrameFox Extensions’. This file is typically installed with the program FrameFox Extensions 1.0.5.0 by QwertyBox Team which is a potentially unwanted software program.
Publisher:
Duuqu Group  (signed by Duuqu Group OU)

Product:
FrameFox Extensions

Version:
1.0.0.7

MD5:
b9c3e1fc5ae8131b2bc248dda370b6d6

SHA-1:
485f3699a5c9d0c6f79a379a23b9b950ad46cbc5

SHA-256:
f1aae6269f4751eb5a868abb2786e0e9b3b21e64f3aab6654b519ab8dbe48946

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
4/25/2024 10:49:29 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.9.10.10

File size:
241.5 KB (247,280 bytes)

Product version:
1.0.0.7

Copyright:
Copyright (C) 2011 - 2013 Duuqu Group

Trademarks:
Duuqu (C), FrameFox (C)

Original file name:
framefox.exe

File type:
Executable application (Win32 EXE)

Language:
English

Common path:
C:\Program Files\framefox\extensions\internetexplorer\framefox.exe

Digital Signature
Signed by:
Duuqu Group OU

Authority:
Thawte, Inc.

Valid from:
8/9/2012 2:00:00 AM

Valid to:
8/10/2014 1:59:59 AM

Subject:
CN=Duuqu Group OU, O=Duuqu Group OU, L=Tallinn, S=Harju, C=EE

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
162E253D4CB8942D57DC084A3456BA93

File PE Metadata
Compilation timestamp:
7/31/2013 12:17:39 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
3072:aLBNLP2Y9iKe2QJF7VRQatAsKXf+2p0WPCbDrg7fE8qsqALnqsqALXXE:q2Y9iNFpXpKP6WwDoc+E

Entry address:
0x3FEC

Entry point:
E8, 89, 5C, 00, 00, E9, 78, FE, FF, FF, 3B, 0D, 70, 60, 41, 00, 75, 02, F3, C3, E9, 0B, 5D, 00, 00, 8B, FF, 55, 8B, EC, 6A, 0A, 6A, 00, FF, 75, 08, E8, 2F, 60, 00, 00, 83, C4, 0C, 5D, C3, 8B, FF, 55, 8B, EC, 5D, E9, DF, FF, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 10, 53, 56, FF, 75, 10, 8D, 4D, F0, E8, F0, F7, FF, FF, 8B, 75, F4, 33, DB, 39, 5E, 08, 75, 12, FF, 75, 0C, FF, 75, 08, E8, 20, 60, 00, 00, 59, 59, E9, 86, 00, 00, 00, 8B, 45, 08, 3B, C3, 75, 28, E8, D1, 19, 00, 00, 53, 53, 53, 53, 53, C7, 00, 16, 00...
 
[+]

Code size:
67.5 KB (69,120 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
FrameFox Extensions

Command:
C:\Program Files\framefox\extensions\internetexplorer\framefox.exe


The file framefox.exe has been discovered within the following program.

FrameFox Extensions 1.0.5.0  by QwertyBox Team
FrameFox is a potentially unwanted application that runs in the web browser as a toolbar and web extension.
65% remove it
 
Powered by Should I Remove It?

Remove framefox.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.