File name:

2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber

Full analysis: https://app.any.run/tasks/b9fa2048-3d9e-4ab2-94c4-9227b4d750c9
Verdict: Malicious activity
Analysis date: January 10, 2025, 18:11:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
floxif
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

ECCD750B599A15690119FBD270198A90

SHA1:

E193703A3596CBC5F8FD9A2C634C4A2BFB98854B

SHA256:

F638DC1B721004C8F1926C014A978856F80205D04EDB02392E99B52D204BA993

SSDEEP:

98304:NKTzRqLJSACSn9GMPML8g3tdctxT9EjfFr4de6ExYqaNzyHesBQc04lDUAfJ0+vP:TGRGefB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Ditto.exe (PID: 2428)

    • FLOXIF has been detected (SURICATA)

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Connects to the CnC server

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Executable content was dropped or overwritten

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • The process drops C-runtime libraries

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Reads security settings of Internet Explorer

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Contacting a server suspected of hosting an CnC

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

  • INFO

    • The sample compiled with english language support

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Checks supported languages

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
      • Ditto.exe (PID: 2428)

    • Failed to create an executable file in Windows directory

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Reads the computer name

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
      • Ditto.exe (PID: 2428)

    • Checks proxy server information

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • The process uses the downloaded file

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Create files in a temporary directory

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • UPX packer has been detected

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (28)
.exe | Win32 EXE PECompact compressed (generic) (27.1)
.exe | UPX compressed Win32 Executable (17.6)
.exe | Win32 EXE Yoda's Crypter (17.3)
.dll | Win32 Dynamic Link Library (generic) (4.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2007:08:19 08:31:03+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 45056
InitializedDataSize: 4096
UninitializedDataSize: 94208
EntryPoint: 0x22240
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
116
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #FLOXIF 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe ditto.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2428"C:\Users\admin\Desktop\SubDirectory\Ditto.exe" C:\Users\admin\Desktop\SubDirectory\Ditto.exe2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Ditto
Version:
3.18.46.0
Modules
Images
c:\users\admin\desktop\subdirectory\ditto.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
3696"C:\Users\admin\Desktop\2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe" C:\Users\admin\Desktop\2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
620
Read events
617
Write events
3
Delete events
0

Modification events

(PID) Process:(3696) 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3696) 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3696) 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
8
Suspicious files
4
Text files
24
Unknown types
0

Dropped files

PID
Process
Filename
Type
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\AppData\Local\Temp\A1D26E2\7C67B0CE70.tmpexecutable
MD5:57A7C62870D0C85FF2A120AB2C74EF98
SHA256:7B00E1221E8067896639552771BCFC4C57F3371B4DBB4AAF14A962EBBB32391F
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\AppData\Local\Temp\FP7EB9.tmptext
MD5:516B8867D053E6C1A890A6B173B1D1D8
SHA256:43B015FA314DD8EC8A70FF8623CB54208B7E68C3898F165F169EF1A25F44DAAA
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Ditto.exeexecutable
MD5:A7569CDF60DB586EC255EF9FFE311498
SHA256:8A3C268F908EE5994BF9BB43BBF04A31D82506D15A11E69C9D98501C8F11C91A
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Addins\DittoUtil.dllexecutable
MD5:E7C7DF2A4F053944080F2FE5A427AF24
SHA256:6F52B436512C930752DA8494D4C9BD2D6668DE553676EB503C009E0B22E9CED4
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Ditto.fpptext
MD5:C5E8754F29D3CE69280788ED0CF14B05
SHA256:BD31F2431E972539B94F44A2FC007B5A0B0E8345AFC82E193AA5C4D0249772DB
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\DittoDitto_Before_Update_To_03_18_46_00.dbsqlite
MD5:2C8D1EDAB5E7F5A649EB7FFA4523069B
SHA256:BBC840C3FA94968DBC10A3BCD13DB42B2FE3D3A3A77918B516A566D5D7C28158
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Ditto.Settingsini
MD5:E0CBD68347493DF5D4F6F232D508F0A8
SHA256:DFE375BA181ACC0A808C87D9B61E1FE16E259D074345FA0640713725AB9A780F
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\DittoGettingStarted.htmhtml
MD5:F7D216A98789BB2BD9CE67590E6124C5
SHA256:AF8AC5071CEB59A84252EA797711DD5BACFA0F3F2C22F2D9CD3B385628433805
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\DittoCustomKeys.htmhtml
MD5:F6667B548B24B917CAD058030D064458
SHA256:B11FCD7B771EAE439E83028FA76362CA8227E0BE5EA998D7CE78E83E5017807C
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\Dutch_DittoConfig.htmhtml
MD5:4104560D07D254553F1A7F9697E4E663
SHA256:03A4B19ED7E1A6EA37E2FFB679DD91BF00488BB8098DB31A048E06E3C923D1A2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
20
DNS requests
14
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
POST
204
2.16.204.146:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.37.237.227:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
72.14.185.43:80
www.aieov.com
Linode, LLC
US
malicious
188
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
2.16.204.152:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.48.23.141
  • 23.48.23.149
  • 23.48.23.137
  • 23.48.23.145
  • 23.48.23.146
  • 23.48.23.134
  • 23.48.23.138
  • 23.48.23.192
  • 23.48.23.191
whitelisted
www.microsoft.com
  • 23.37.237.227
whitelisted
5isohu.com
whitelisted
www.aieov.com
  • 72.14.185.43
  • 173.255.194.134
  • 45.33.30.197
  • 45.33.18.44
  • 45.79.19.196
  • 45.33.2.79
  • 198.58.118.167
  • 45.56.79.23
  • 96.126.123.244
  • 72.14.178.174
  • 45.33.20.235
  • 45.33.23.183
malicious
www.bing.com
  • 2.16.204.152
  • 2.16.204.156
  • 2.16.204.160
  • 2.16.204.138
  • 2.16.204.142
  • 2.16.204.135
  • 2.16.204.145
  • 2.16.204.161
  • 2.16.204.158
whitelisted
self.events.data.microsoft.com
  • 20.189.173.10
whitelisted

Threats

Found threats are available for the paid subscriptions
6 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber