File name:

2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber

Full analysis: https://app.any.run/tasks/b9fa2048-3d9e-4ab2-94c4-9227b4d750c9
Verdict: Malicious activity
Analysis date: January 10, 2025, 18:11:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
floxif
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

ECCD750B599A15690119FBD270198A90

SHA1:

E193703A3596CBC5F8FD9A2C634C4A2BFB98854B

SHA256:

F638DC1B721004C8F1926C014A978856F80205D04EDB02392E99B52D204BA993

SSDEEP:

98304:NKTzRqLJSACSn9GMPML8g3tdctxT9EjfFr4de6ExYqaNzyHesBQc04lDUAfJ0+vP:TGRGefB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Ditto.exe (PID: 2428)

    • FLOXIF has been detected (SURICATA)

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Connects to the CnC server

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Executable content was dropped or overwritten

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Reads security settings of Internet Explorer

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Process drops legitimate windows executable

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Contacting a server suspected of hosting an CnC

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

  • INFO

    • Checks supported languages

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
      • Ditto.exe (PID: 2428)

    • The sample compiled with english language support

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Reads the computer name

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
      • Ditto.exe (PID: 2428)

    • UPX packer has been detected

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Failed to create an executable file in Windows directory

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Checks proxy server information

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • The process uses the downloaded file

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Create files in a temporary directory

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (28)
.exe | Win32 EXE PECompact compressed (generic) (27.1)
.exe | UPX compressed Win32 Executable (17.6)
.exe | Win32 EXE Yoda's Crypter (17.3)
.dll | Win32 Dynamic Link Library (generic) (4.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2007:08:19 08:31:03+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 45056
InitializedDataSize: 4096
UninitializedDataSize: 94208
EntryPoint: 0x22240
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
116
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #FLOXIF 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe ditto.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2428"C:\Users\admin\Desktop\SubDirectory\Ditto.exe" C:\Users\admin\Desktop\SubDirectory\Ditto.exe2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Ditto
Version:
3.18.46.0
Modules
Images
c:\users\admin\desktop\subdirectory\ditto.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
3696"C:\Users\admin\Desktop\2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe" C:\Users\admin\Desktop\2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
620
Read events
617
Write events
3
Delete events
0

Modification events

(PID) Process:(3696) 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3696) 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3696) 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
8
Suspicious files
4
Text files
24
Unknown types
0

Dropped files

PID
Process
Filename
Type
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Ditto.fpptext
MD5:C5E8754F29D3CE69280788ED0CF14B05
SHA256:BD31F2431E972539B94F44A2FC007B5A0B0E8345AFC82E193AA5C4D0249772DB
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Addins\DittoUtil.dllexecutable
MD5:E7C7DF2A4F053944080F2FE5A427AF24
SHA256:6F52B436512C930752DA8494D4C9BD2D6668DE553676EB503C009E0B22E9CED4
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\DittoConfig.htmhtml
MD5:E1A7002947A93276D4740610B3ACCBC8
SHA256:8C9BB86F19622E9258F1BC19B813118CDEEBC0F0E4DF01FCC7514F1C48A3F8F1
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\DittoFAQ.htmhtml
MD5:CAC002AB8E9539B820ABBB1040C05628
SHA256:57D60A25370CB62DC44BD04AABC3864BC6613FEF04D6BB14BAEA4E6D51B009FB
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Ditto.dbsqlite
MD5:5EBBF9C13ABC941C48AF610B90B65DCC
SHA256:A251E99108884BD01D8B1A46EC6A7BC710EED91000652B13B9B7AC6F51F549D4
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Ditto.exeexecutable
MD5:A7569CDF60DB586EC255EF9FFE311498
SHA256:8A3C268F908EE5994BF9BB43BBF04A31D82506D15A11E69C9D98501C8F11C91A
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Changes.txttext
MD5:71C14E67118CE3865DBDC8B6E6F7F108
SHA256:814E65878F4A845864BA8C7DB16C4C3857F16A40B9BC231CC1C06EED6BDED186
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\RegCustomKeys.jpgimage
MD5:6B62918055AB1D2DF75FEA5E3C342471
SHA256:40070FEC66EF4A190E1FCE76310574ECD574350113922BC512745C16DCA71304
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\DittoCustomKeys.htmhtml
MD5:F6667B548B24B917CAD058030D064458
SHA256:B11FCD7B771EAE439E83028FA76362CA8227E0BE5EA998D7CE78E83E5017807C
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\Dutch_DittoConfig.htmhtml
MD5:4104560D07D254553F1A7F9697E4E663
SHA256:03A4B19ED7E1A6EA37E2FFB679DD91BF00488BB8098DB31A048E06E3C923D1A2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
20
DNS requests
14
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
POST
204
2.16.204.146:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.37.237.227:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
72.14.185.43:80
www.aieov.com
Linode, LLC
US
malicious
188
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
2.16.204.152:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.48.23.141
  • 23.48.23.149
  • 23.48.23.137
  • 23.48.23.145
  • 23.48.23.146
  • 23.48.23.134
  • 23.48.23.138
  • 23.48.23.192
  • 23.48.23.191
whitelisted
www.microsoft.com
  • 23.37.237.227
whitelisted
5isohu.com
whitelisted
www.aieov.com
  • 72.14.185.43
  • 173.255.194.134
  • 45.33.30.197
  • 45.33.18.44
  • 45.79.19.196
  • 45.33.2.79
  • 198.58.118.167
  • 45.56.79.23
  • 96.126.123.244
  • 72.14.178.174
  • 45.33.20.235
  • 45.33.23.183
malicious
www.bing.com
  • 2.16.204.152
  • 2.16.204.156
  • 2.16.204.160
  • 2.16.204.138
  • 2.16.204.142
  • 2.16.204.135
  • 2.16.204.145
  • 2.16.204.161
  • 2.16.204.158
whitelisted
self.events.data.microsoft.com
  • 20.189.173.10
whitelisted

Threats

Found threats are available for the paid subscriptions
6 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber