File name:	2025-05-17_e7f6fb543474044f923d845d4fd3115e_amadey_elex_floxif_gcleaner_rhadamanthys_smoke-loader
Full analysis:	https://app.any.run/tasks/6618933e-567a-4b2d-b7e3-20874ebcd5c7
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage. Malware Trends Tracker >>>
Analysis date:	May 17, 2025, 10:36:56
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg floxif backdoor spyware loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	E7F6FB543474044F923D845D4FD3115E
SHA1:	55F6AB9F9AF96198CC3BBADBACC7448E8D1E77F9
SHA256:	D25B8FB2FA7F933402D24B6EE9EE2A3CFDD01FBDCA2A2CBE84B6A76D36EF9685
SSDEEP:	12288:B8SYRaxc7uz+YA8mPRGCA5bM1gChTUPyEGLBGg5nT9LhpL/9:2OcDh2M1hTlZLUg5NhpL/9

.exe	\|	Win32 EXE PECompact compressed (generic) (35.3)
.exe	\|	Win32 Executable MS Visual C++ (generic) (26.5)
.exe	\|	Win64 Executable (generic) (23.5)
.dll	\|	Win32 Dynamic Link Library (generic) (5.5)
.exe	\|	Win32 Executable (generic) (3.8)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:05:18 20:42:14+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	29696
InitializedDataSize:	294912
UninitializedDataSize:	-
EntryPoint:	0x25d0
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI


(PID) Process:	(7640) svchost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	{8153BD7F-1F85-C854-C4C3-E45FFFCF4D7D}
Value: c:\programdata\{1D43954F-37B5-5444-C4C3-E45FFFCF4D7D}\b0fc45d0.exe
(PID) Process:	(7360) 2025-05-17_e7f6fb543474044f923d845d4fd3115e_amadey_elex_floxif_gcleaner_rhadamanthys_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7360) 2025-05-17_e7f6fb543474044f923d845d4fd3115e_amadey_elex_floxif_gcleaner_rhadamanthys_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7360) 2025-05-17_e7f6fb543474044f923d845d4fd3115e_amadey_elex_floxif_gcleaner_rhadamanthys_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7608) 2025-05-17_e7f6fb543474044f923d845d4fd3115e_amadey_elex_floxif_gcleaner_rhadamanthys_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
(PID) Process:	(2284) cmd.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	kexvc
Value: C:\Users\admin\AppData\Roaming\axusquxd\uyfushuu.exe

PID	Process	Filename		Type
6816	801274.exe	C:\Users\admin\AppData\Roaming\axusquxd\uyfushuu.exe		executable
		MD5:871E489E879885DB39C583B5CD90BC30	SHA256:60E8E6EA05F34EA7BBEB1B05DD93A6A36EBE3968B841B948426E6EB637DEDD0B
2284	cmd.exe	C:\Users\admin\AppData\Local\Temp\dd.te		binary
		MD5:68531D42ADB0E194AF3429D154C8AB5F	SHA256:02633C2D1D72B3B380B6932C1D5B3665DBDF40DE8C51DEF0BE60098BB812D79B
7640	svchost.exe	C:\ProgramData\{106EDD9E-7F64-5969-C4C3-E45FFFCF4D7D}\801274.exe		executable
		MD5:871E489E879885DB39C583B5CD90BC30	SHA256:60E8E6EA05F34EA7BBEB1B05DD93A6A36EBE3968B841B948426E6EB637DEDD0B
7360	2025-05-17_e7f6fb543474044f923d845d4fd3115e_amadey_elex_floxif_gcleaner_rhadamanthys_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\conres.dll		executable
		MD5:7574CF2C64F35161AB1292E2F532AABF	SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
7360	2025-05-17_e7f6fb543474044f923d845d4fd3115e_amadey_elex_floxif_gcleaner_rhadamanthys_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\conres.dll.000		text
		MD5:1130C911BF5DB4B8F7CF9B6F4B457623	SHA256:EBA08CC8182F379392A97F542B350EA0DBBE5E4009472F35AF20E3D857EAFDF1
7640	svchost.exe	C:\ProgramData\{1D43954F-37B5-5444-C4C3-E45FFFCF4D7D}\b0fc45d0.exe		executable
		MD5:E7F6FB543474044F923D845D4FD3115E	SHA256:D25B8FB2FA7F933402D24B6EE9EE2A3CFDD01FBDCA2A2CBE84B6A76D36EF9685

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.216.77.18:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7360	2025-05-17_e7f6fb543474044f923d845d4fd3115e_amadey_elex_floxif_gcleaner_rhadamanthys_smoke-loader.exe	GET	403	72.14.178.174:80	http://www.aieov.com/logo.gif	unknown	—	—	malicious
8032	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
8032	SIHClient.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
8032	SIHClient.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
8032	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
8032	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
6404	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
8032	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
6404	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	23.216.77.18:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6404	RUXIMICS.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
7360	2025-05-17_e7f6fb543474044f923d845d4fd3115e_amadey_elex_floxif_gcleaner_rhadamanthys_smoke-loader.exe	72.14.178.174:80	www.aieov.com	Linode, LLC	US	malicious

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146 4.231.128.59	whitelisted
google.com	142.250.185.174	whitelisted
crl.microsoft.com	23.216.77.18 23.216.77.20 23.216.77.6 23.216.77.13 23.216.77.28 23.216.77.8 23.216.77.22 23.216.77.15 23.216.77.21 2.19.11.105 2.19.11.120	whitelisted
www.microsoft.com	184.30.21.171 2.23.246.101	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
5isohu.com	—	whitelisted
www.aieov.com	72.14.178.174 45.33.20.235 72.14.185.43 45.33.23.183 45.79.19.196 198.58.118.167 45.56.79.23 45.33.30.197 45.33.2.79 96.126.123.244 173.255.194.134 45.33.18.44	malicious
login.live.com	20.190.159.131 40.126.31.130 40.126.31.131 20.190.159.129 20.190.159.68 20.190.159.0 40.126.31.128 40.126.31.129	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted

PID	Process	Class	Message
7360	2025-05-17_e7f6fb543474044f923d845d4fd3115e_amadey_elex_floxif_gcleaner_rhadamanthys_smoke-loader.exe	Malware Command and Control Activity Detected	MALWARE [ANY.RUN] Possible Floxif CnC Communication
7640	svchost.exe	Malware Command and Control Activity Detected	ET MALWARE [PTsecurity] DorkBot.Downloader CnC Response
7640	svchost.exe	Malware Command and Control Activity Detected	ET MALWARE Win32/Kryptik.GSKY CnC Checkin
7640	svchost.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
7640	svchost.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
7640	svchost.exe	Misc activity	ET INFO Packed Executable Download

General Info

2025-05-17_e7f6fb543474044f923d845d4fd3115e_amadey_elex_floxif_gcleaner_rhadamanthys_smoke-loader

E7F6FB543474044F923D845D4FD3115E

55F6AB9F9AF96198CC3BBADBACC7448E8D1E77F9

D25B8FB2FA7F933402D24B6EE9EE2A3CFDD01FBDCA2A2CBE84B6A76D36EF9685

12288:B8SYRaxc7uz+YA8mPRGCA5bM1gChTUPyEGLBGg5nT9LhpL/9:2OcDh2M1hTlZLUg5NhpL/9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Connects to the CnC server

FLOXIF has been detected (YARA)

SUSPICIOUS

Process drops legitimate windows executable

Executable content was dropped or overwritten

Application launched itself

Reads security settings of Internet Explorer

Reads the date of Windows installation

Contacting a server suspected of hosting an CnC

Connects to unusual port

Connects to the server without a host name

Potential Corporate Privacy Violation

The process checks if it is being run in the virtual environment

Starts itself from another location

Starts CMD.EXE for commands execution

INFO

Create files in a temporary directory

Reads the computer name

Failed to create an executable file in Windows directory

Checks supported languages

Checks proxy server information

The sample compiled with english language support

Reads the machine GUID from the registry

Creates files in the program directory

Auto-launch of the file from Registry key

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Reads the software policy settings

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests