File name:

2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber

Full analysis: https://app.any.run/tasks/b9fa2048-3d9e-4ab2-94c4-9227b4d750c9
Verdict: Malicious activity
Analysis date: January 10, 2025, 18:11:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
floxif
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

ECCD750B599A15690119FBD270198A90

SHA1:

E193703A3596CBC5F8FD9A2C634C4A2BFB98854B

SHA256:

F638DC1B721004C8F1926C014A978856F80205D04EDB02392E99B52D204BA993

SSDEEP:

98304:NKTzRqLJSACSn9GMPML8g3tdctxT9EjfFr4de6ExYqaNzyHesBQc04lDUAfJ0+vP:TGRGefB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Ditto.exe (PID: 2428)
    • FLOXIF has been detected (SURICATA)

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • Connects to the CnC server

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • Process drops legitimate windows executable

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • The process drops C-runtime libraries

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • Executable content was dropped or overwritten

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • Contacting a server suspected of hosting an CnC

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
  • INFO

    • Reads the computer name

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
      • Ditto.exe (PID: 2428)
    • Failed to create an executable file in Windows directory

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • Checks supported languages

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
      • Ditto.exe (PID: 2428)
    • The process uses the downloaded file

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • UPX packer has been detected

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • Checks proxy server information

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • The sample compiled with english language support

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
    • Create files in a temporary directory

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (28)
.exe | Win32 EXE PECompact compressed (generic) (27.1)
.exe | UPX compressed Win32 Executable (17.6)
.exe | Win32 EXE Yoda's Crypter (17.3)
.dll | Win32 Dynamic Link Library (generic) (4.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2007:08:19 08:31:03+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 45056
InitializedDataSize: 4096
UninitializedDataSize: 94208
EntryPoint: 0x22240
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
116
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #FLOXIF 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe ditto.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3696"C:\Users\admin\Desktop\2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe" C:\Users\admin\Desktop\2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2428"C:\Users\admin\Desktop\SubDirectory\Ditto.exe" C:\Users\admin\Desktop\SubDirectory\Ditto.exe2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Ditto
Version:
3.18.46.0
Modules
Images
c:\users\admin\desktop\subdirectory\ditto.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
Total events
620
Read events
617
Write events
3
Delete events
0

Modification events

(PID) Process:(3696) 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3696) 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3696) 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
8
Suspicious files
4
Text files
24
Unknown types
0

Dropped files

PID
Process
Filename
Type
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\AppData\Local\Temp\conres.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\AppData\Local\Temp\A1D26E2\7C67B0CE70.tmpexecutable
MD5:57A7C62870D0C85FF2A120AB2C74EF98
SHA256:7B00E1221E8067896639552771BCFC4C57F3371B4DBB4AAF14A962EBBB32391F
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\RegCustomKeys.jpgimage
MD5:6B62918055AB1D2DF75FEA5E3C342471
SHA256:40070FEC66EF4A190E1FCE76310574ECD574350113922BC512745C16DCA71304
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\DittoGettingStarted.htmhtml
MD5:F7D216A98789BB2BD9CE67590E6124C5
SHA256:AF8AC5071CEB59A84252EA797711DD5BACFA0F3F2C22F2D9CD3B385628433805
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Ditto.dbsqlite
MD5:5EBBF9C13ABC941C48AF610B90B65DCC
SHA256:A251E99108884BD01D8B1A46EC6A7BC710EED91000652B13B9B7AC6F51F549D4
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\DittoConfig.htmhtml
MD5:E1A7002947A93276D4740610B3ACCBC8
SHA256:8C9BB86F19622E9258F1BC19B813118CDEEBC0F0E4DF01FCC7514F1C48A3F8F1
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Ditto.Settingsini
MD5:E0CBD68347493DF5D4F6F232D508F0A8
SHA256:DFE375BA181ACC0A808C87D9B61E1FE16E259D074345FA0640713725AB9A780F
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\DittoFAQ.htmhtml
MD5:CAC002AB8E9539B820ABBB1040C05628
SHA256:57D60A25370CB62DC44BD04AABC3864BC6613FEF04D6BB14BAEA4E6D51B009FB
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\AppData\Local\Temp\FP7EB9.tmptext
MD5:516B8867D053E6C1A890A6B173B1D1D8
SHA256:43B015FA314DD8EC8A70FF8623CB54208B7E68C3898F165F169EF1A25F44DAAA
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Changes.txttext
MD5:71C14E67118CE3865DBDC8B6E6F7F108
SHA256:814E65878F4A845864BA8C7DB16C4C3857F16A40B9BC231CC1C06EED6BDED186
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
20
DNS requests
14
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
POST
204
2.16.204.146:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.37.237.227:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
72.14.185.43:80
www.aieov.com
Linode, LLC
US
malicious
188
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
2.16.204.152:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.48.23.141
  • 23.48.23.149
  • 23.48.23.137
  • 23.48.23.145
  • 23.48.23.146
  • 23.48.23.134
  • 23.48.23.138
  • 23.48.23.192
  • 23.48.23.191
whitelisted
www.microsoft.com
  • 23.37.237.227
whitelisted
5isohu.com
whitelisted
www.aieov.com
  • 72.14.185.43
  • 173.255.194.134
  • 45.33.30.197
  • 45.33.18.44
  • 45.79.19.196
  • 45.33.2.79
  • 198.58.118.167
  • 45.56.79.23
  • 96.126.123.244
  • 72.14.178.174
  • 45.33.20.235
  • 45.33.23.183
malicious
www.bing.com
  • 2.16.204.152
  • 2.16.204.156
  • 2.16.204.160
  • 2.16.204.138
  • 2.16.204.142
  • 2.16.204.135
  • 2.16.204.145
  • 2.16.204.161
  • 2.16.204.158
whitelisted
self.events.data.microsoft.com
  • 20.189.173.10
whitelisted

Threats

Found threats are available for the paid subscriptions
6 ETPRO signatures available at the full report
No debug info