File name:	4d81be09c23e02fab7364e508c21c111.fpx
Full analysis:	https://app.any.run/tasks/5c4b4b70-4d08-4267-b6c1-e0fe8baadca9
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. SSLoad is a malicious loader or downloader that is used to infiltrate target systems through phishing emails, perform reconnaissance and transmit it back to its operators delivering malicious payloads. To avoid detection, SSLoad employs various encryption methods and delivery techniques highlighting its versatile nature and complexity. It is believed to be a part of Malware-as-a-Service (MaaS) operation given its diverse delivery methods and implemented techniques. Malware Trends Tracker >>>
Analysis date:	August 02, 2025, 12:31:29
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	advancedinstaller evasion ssload loader backdoor rust delphi
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 14:06:51 2020, Security: 0, Code page: 1252, Revision Number: {117CFEB2-6376-4FA5-ACE4-CD1494F2E3DD}, Number of Words: 10, Subject: GeoTdata, Author: Since Flawer, Name of Creating Application: GeoTdata, Template: ;1033, Comments: This installer database contains the logic and data required to install GeoTdata., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5:	4D81BE09C23E02FAB7364E508C21C111
SHA1:	52CAE521D7A808C8206F4B5AFD6B037BC573B50E
SHA256:	DCAE57EC4B69236146F744C143C42CC8BDAC9DA6E991904E6DBF67EC1179286A
SSDEEP:	49152:Hte9IjHnotTeor8trZeIlogiyDTP6q9jp8d38C4WaaIWbpc2VHrzujXFbO9yINbJ:o9IDotTeor2yZyvP/jpOpaaIWbpbVL6O

.msi	\|	Microsoft Windows Installer (81.9)
.mst	\|	Windows SDK Setup Transform Script (9.2)
.msp	\|	Windows Installer Patch (7.6)
.msi	\|	Microsoft Installer (100)

LastPrinted:	2009:12:11 11:47:44
CreateDate:	2009:12:11 11:47:44
ModifyDate:	2020:09:18 14:06:51
Security:	None
CodePage:	Windows Latin 1 (Western European)
RevisionNumber:	{117CFEB2-6376-4FA5-ACE4-CD1494F2E3DD}
Words:	10
Subject:	GeoTdata
Author:	Since Flawer
LastModifiedBy:	-
Software:	GeoTdata
Template:	;1033
Comments:	This installer database contains the logic and data required to install GeoTdata.
Title:	Installation Database
Keywords:	Installer, MSI, Database
Pages:	200


(PID) Process:	(2324) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 48000000000000005242A465A903DC011409000060180000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2324) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 48000000000000005242A465A903DC011409000060180000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2324) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 48000000000000004C6CCA65A903DC011409000060180000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2324) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 48000000000000004C6CCA65A903DC011409000060180000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2324) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 48000000000000004C6CCA65A903DC011409000060180000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2324) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 480000000000000014CFCC65A903DC011409000060180000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1936) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000B1C50A66A903DC0190070000640F0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1936) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000B1C50A66A903DC01900700008C190000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1936) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000B1C50A66A903DC0190070000AC1B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1936) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000B1C50A66A903DC0190070000CC060000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000

PID	Process	Filename		Type
2324	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
2324	msiexec.exe	C:\Windows\Installer\19093d.msi		executable
		MD5:4D81BE09C23E02FAB7364E508C21C111	SHA256:DCAE57EC4B69236146F744C143C42CC8BDAC9DA6E991904E6DBF67EC1179286A
4724	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSIDEC7.tmp		executable
		MD5:475D20C0EA477A35660E3F67ECF0A1DF	SHA256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
2324	msiexec.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:7EC438E1F0FA42DD1F28DD1CB109C52D	SHA256:47791B7D46C7DF7B0A6E2227BAC0C70DD624352E660AB4D7CED64BEB129E5B44
4724	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSIDEA7.tmp		executable
		MD5:475D20C0EA477A35660E3F67ECF0A1DF	SHA256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
4724	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSIDE65.tmp		executable
		MD5:475D20C0EA477A35660E3F67ECF0A1DF	SHA256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
2324	msiexec.exe	C:\Windows\Installer\MSI9D9.tmp		executable
		MD5:475D20C0EA477A35660E3F67ECF0A1DF	SHA256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
2324	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{3fdf3fde-7d54-4ebd-8c57-12fdda06c44b}_OnDiskSnapshotProp		binary
		MD5:7EC438E1F0FA42DD1F28DD1CB109C52D	SHA256:47791B7D46C7DF7B0A6E2227BAC0C70DD624352E660AB4D7CED64BEB129E5B44
4724	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSIDE76.tmp		executable
		MD5:475D20C0EA477A35660E3F67ECF0A1DF	SHA256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
4724	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSIDE07.tmp		executable
		MD5:475D20C0EA477A35660E3F67ECF0A1DF	SHA256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7124	RUXIMICS.exe	GET	200	23.216.77.39:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.216.77.39:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.216.77.39:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.3.109.244:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.3.109.244:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	172.67.74.152:443	https://api.ipify.org/	unknown	text	13 b	malicious
7124	RUXIMICS.exe	GET	200	23.3.109.244:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1800	msiexec.exe	POST	—	85.239.53.219:80	http://85.239.53.219/api/gateway	unknown	—	—	malicious
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	20.44.239.154:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	SG	whitelisted
1268	svchost.exe	20.44.239.154:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	SG	whitelisted
7124	RUXIMICS.exe	20.44.239.154:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	SG	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	23.216.77.39:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7124	RUXIMICS.exe	23.216.77.39:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.216.77.39:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.3.109.244:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
7124	RUXIMICS.exe	23.3.109.244:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.44.239.154 51.124.78.146	whitelisted
google.com	172.217.16.206	whitelisted
crl.microsoft.com	23.216.77.39 23.216.77.42 23.216.77.35 23.216.77.38 23.216.77.41 23.216.77.15 23.216.77.7 23.216.77.5 23.216.77.6	whitelisted
www.microsoft.com	23.3.109.244	whitelisted
api.ipify.org	104.26.13.205 104.26.12.205 172.67.74.152	shared
self.events.data.microsoft.com	13.69.239.78	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

PID	Process	Class	Message
1800	msiexec.exe	Potential Corporate Privacy Violation	ET INFO Possible IP Check api.ipify.org
2200	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
1800	msiexec.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
—	—	Device Retrieving External IP Address Detected	ET INFO External IP Lookup api.ipify.org
—	—	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
1800	msiexec.exe	Misc activity	SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
1800	msiexec.exe	A Network Trojan was detected	ET MALWARE Win32/SSLoad Registration Activity (POST)
1800	msiexec.exe	A Network Trojan was detected	ET MALWARE Win32/SSLoad Registration Activity (POST)

General Info

4d81be09c23e02fab7364e508c21c111.fpx

4D81BE09C23E02FAB7364E508C21C111

52CAE521D7A808C8206F4B5AFD6B037BC573B50E

DCAE57EC4B69236146F744C143C42CC8BDAC9DA6E991904E6DBF67EC1179286A

49152:Hte9IjHnotTeor8trZeIlogiyDTP6q9jp8d38C4WaaIWbpc2VHrzujXFbO9yINbJ:o9IDotTeor2yZyvP/jpOpaaIWbpbVL6O

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SSLOAD has been detected (YARA)

SSLOAD has been detected (SURICATA)

SUSPICIOUS

Executes as Windows Service

Detects AdvancedInstaller (YARA)

Reads the Windows owner or organization settings

Potential Corporate Privacy Violation

Checks for external IP

Connects to the server without a host name

INFO

The sample compiled with english language support

Reads the computer name

Checks supported languages

Reads Environment values

Executable content was dropped or overwritten

Manages system restore points

Creates files or folders in the user directory

Reads the machine GUID from the registry

Reads the software policy settings

Compiled with Borland Delphi (YARA)

Application based on Rust

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings