File name:

2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber

Full analysis: https://app.any.run/tasks/b9fa2048-3d9e-4ab2-94c4-9227b4d750c9
Verdict: Malicious activity
Analysis date: January 10, 2025, 18:11:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
floxif
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

ECCD750B599A15690119FBD270198A90

SHA1:

E193703A3596CBC5F8FD9A2C634C4A2BFB98854B

SHA256:

F638DC1B721004C8F1926C014A978856F80205D04EDB02392E99B52D204BA993

SSDEEP:

98304:NKTzRqLJSACSn9GMPML8g3tdctxT9EjfFr4de6ExYqaNzyHesBQc04lDUAfJ0+vP:TGRGefB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Ditto.exe (PID: 2428)
    • FLOXIF has been detected (SURICATA)

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • Connects to the CnC server

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • Process drops legitimate windows executable

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • Reads security settings of Internet Explorer

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • The process drops C-runtime libraries

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • Contacting a server suspected of hosting an CnC

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
  • INFO

    • The sample compiled with english language support

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • Checks supported languages

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
      • Ditto.exe (PID: 2428)
    • Failed to create an executable file in Windows directory

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • Reads the computer name

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
      • Ditto.exe (PID: 2428)
    • Create files in a temporary directory

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • Checks proxy server information

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • The process uses the downloaded file

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • UPX packer has been detected

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (28)
.exe | Win32 EXE PECompact compressed (generic) (27.1)
.exe | UPX compressed Win32 Executable (17.6)
.exe | Win32 EXE Yoda's Crypter (17.3)
.dll | Win32 Dynamic Link Library (generic) (4.2)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x22240
UninitializedDataSize: 94208
InitializedDataSize: 4096
CodeSize: 45056
LinkerVersion: 2.5
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2007:08:19 08:31:03+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
116
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #FLOXIF 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe ditto.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3696"C:\Users\admin\Desktop\2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe" C:\Users\admin\Desktop\2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2428"C:\Users\admin\Desktop\SubDirectory\Ditto.exe" C:\Users\admin\Desktop\SubDirectory\Ditto.exe2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Ditto
Version:
3.18.46.0
Modules
Images
c:\users\admin\desktop\subdirectory\ditto.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
Total events
620
Read events
617
Write events
3
Delete events
0

Modification events

(PID) Process:(3696) 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3696) 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3696) 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
8
Suspicious files
4
Text files
24
Unknown types
0

Dropped files

PID
Process
Filename
Type
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\DittoFAQ.htmhtml
MD5:CAC002AB8E9539B820ABBB1040C05628
SHA256:57D60A25370CB62DC44BD04AABC3864BC6613FEF04D6BB14BAEA4E6D51B009FB
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\AppData\Local\Temp\FP7EB9.tmptext
MD5:516B8867D053E6C1A890A6B173B1D1D8
SHA256:43B015FA314DD8EC8A70FF8623CB54208B7E68C3898F165F169EF1A25F44DAAA
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\DittoConfig.htmhtml
MD5:E1A7002947A93276D4740610B3ACCBC8
SHA256:8C9BB86F19622E9258F1BC19B813118CDEEBC0F0E4DF01FCC7514F1C48A3F8F1
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\Dutch_DittoGettingStarted.htmhtml
MD5:872F1743D9196F08C1F7C6C3079722B1
SHA256:888323D5345BA148075918DC79F6ED631462C48BA4EFE5D9E04DDF8C61351BF9
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Ditto.exeexecutable
MD5:A7569CDF60DB586EC255EF9FFE311498
SHA256:8A3C268F908EE5994BF9BB43BBF04A31D82506D15A11E69C9D98501C8F11C91A
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Changes.txttext
MD5:71C14E67118CE3865DBDC8B6E6F7F108
SHA256:814E65878F4A845864BA8C7DB16C4C3857F16A40B9BC231CC1C06EED6BDED186
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\U3_Install.htmhtml
MD5:19E070C7AA48CC298DA8A771F9680D81
SHA256:15AA2608493C3638FC031E18C384B1983C2B88610C32964349ED8C6E20398BA6
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Ditto.Settingsini
MD5:E0CBD68347493DF5D4F6F232D508F0A8
SHA256:DFE375BA181ACC0A808C87D9B61E1FE16E259D074345FA0640713725AB9A780F
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\AppData\Local\Temp\conres.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\Dutch_DittoConfig.htmhtml
MD5:4104560D07D254553F1A7F9697E4E663
SHA256:03A4B19ED7E1A6EA37E2FFB679DD91BF00488BB8098DB31A048E06E3C923D1A2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
20
DNS requests
14
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
POST
204
2.16.204.146:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.37.237.227:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
72.14.185.43:80
www.aieov.com
Linode, LLC
US
malicious
188
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
2.16.204.152:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.48.23.141
  • 23.48.23.149
  • 23.48.23.137
  • 23.48.23.145
  • 23.48.23.146
  • 23.48.23.134
  • 23.48.23.138
  • 23.48.23.192
  • 23.48.23.191
whitelisted
www.microsoft.com
  • 23.37.237.227
whitelisted
5isohu.com
whitelisted
www.aieov.com
  • 72.14.185.43
  • 173.255.194.134
  • 45.33.30.197
  • 45.33.18.44
  • 45.79.19.196
  • 45.33.2.79
  • 198.58.118.167
  • 45.56.79.23
  • 96.126.123.244
  • 72.14.178.174
  • 45.33.20.235
  • 45.33.23.183
malicious
www.bing.com
  • 2.16.204.152
  • 2.16.204.156
  • 2.16.204.160
  • 2.16.204.138
  • 2.16.204.142
  • 2.16.204.135
  • 2.16.204.145
  • 2.16.204.161
  • 2.16.204.158
whitelisted
self.events.data.microsoft.com
  • 20.189.173.10
whitelisted

Threats

Found threats are available for the paid subscriptions
6 ETPRO signatures available at the full report
No debug info