File name:

2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber

Full analysis: https://app.any.run/tasks/b9fa2048-3d9e-4ab2-94c4-9227b4d750c9
Verdict: Malicious activity
Analysis date: January 10, 2025, 18:11:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
floxif
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

ECCD750B599A15690119FBD270198A90

SHA1:

E193703A3596CBC5F8FD9A2C634C4A2BFB98854B

SHA256:

F638DC1B721004C8F1926C014A978856F80205D04EDB02392E99B52D204BA993

SSDEEP:

98304:NKTzRqLJSACSn9GMPML8g3tdctxT9EjfFr4de6ExYqaNzyHesBQc04lDUAfJ0+vP:TGRGefB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Ditto.exe (PID: 2428)

    • FLOXIF has been detected (SURICATA)

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Connects to the CnC server

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Executable content was dropped or overwritten

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • The process drops C-runtime libraries

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Reads security settings of Internet Explorer

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Contacting a server suspected of hosting an CnC

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

  • INFO

    • Create files in a temporary directory

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Checks supported languages

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
      • Ditto.exe (PID: 2428)

    • Failed to create an executable file in Windows directory

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • The sample compiled with english language support

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • Reads the computer name

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
      • Ditto.exe (PID: 2428)

    • Checks proxy server information

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • The process uses the downloaded file

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)

    • UPX packer has been detected

      • 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe (PID: 3696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (28)
.exe | Win32 EXE PECompact compressed (generic) (27.1)
.exe | UPX compressed Win32 Executable (17.6)
.exe | Win32 EXE Yoda's Crypter (17.3)
.dll | Win32 Dynamic Link Library (generic) (4.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2007:08:19 08:31:03+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 45056
InitializedDataSize: 4096
UninitializedDataSize: 94208
EntryPoint: 0x22240
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
116
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #FLOXIF 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe ditto.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2428"C:\Users\admin\Desktop\SubDirectory\Ditto.exe" C:\Users\admin\Desktop\SubDirectory\Ditto.exe2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Ditto
Version:
3.18.46.0
Modules
Images
c:\users\admin\desktop\subdirectory\ditto.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
3696"C:\Users\admin\Desktop\2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe" C:\Users\admin\Desktop\2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
620
Read events
617
Write events
3
Delete events
0

Modification events

(PID) Process:(3696) 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3696) 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3696) 2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
8
Suspicious files
4
Text files
24
Unknown types
0

Dropped files

PID
Process
Filename
Type
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\AppData\Local\Temp\conres.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\AppData\Local\Temp\FP7EB9.tmptext
MD5:516B8867D053E6C1A890A6B173B1D1D8
SHA256:43B015FA314DD8EC8A70FF8623CB54208B7E68C3898F165F169EF1A25F44DAAA
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\DittoConfig.htmhtml
MD5:E1A7002947A93276D4740610B3ACCBC8
SHA256:8C9BB86F19622E9258F1BC19B813118CDEEBC0F0E4DF01FCC7514F1C48A3F8F1
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Ditto.dbsqlite
MD5:5EBBF9C13ABC941C48AF610B90B65DCC
SHA256:A251E99108884BD01D8B1A46EC6A7BC710EED91000652B13B9B7AC6F51F549D4
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Ditto.Settingsini
MD5:E0CBD68347493DF5D4F6F232D508F0A8
SHA256:DFE375BA181ACC0A808C87D9B61E1FE16E259D074345FA0640713725AB9A780F
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Changes.txttext
MD5:71C14E67118CE3865DBDC8B6E6F7F108
SHA256:814E65878F4A845864BA8C7DB16C4C3857F16A40B9BC231CC1C06EED6BDED186
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\DittoDitto_Before_Update_To_03_18_46_00.dbsqlite
MD5:2C8D1EDAB5E7F5A649EB7FFA4523069B
SHA256:BBC840C3FA94968DBC10A3BCD13DB42B2FE3D3A3A77918B516A566D5D7C28158
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Addins\DittoUtil.dllexecutable
MD5:E7C7DF2A4F053944080F2FE5A427AF24
SHA256:6F52B436512C930752DA8494D4C9BD2D6668DE553676EB503C009E0B22E9CED4
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Help\DittoFAQ.htmhtml
MD5:CAC002AB8E9539B820ABBB1040C05628
SHA256:57D60A25370CB62DC44BD04AABC3864BC6613FEF04D6BB14BAEA4E6D51B009FB
36962025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exeC:\Users\admin\Desktop\SubDirectory\Ditto.exeexecutable
MD5:A7569CDF60DB586EC255EF9FFE311498
SHA256:8A3C268F908EE5994BF9BB43BBF04A31D82506D15A11E69C9D98501C8F11C91A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
20
DNS requests
14
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
GET
403
72.14.185.43:80
http://www.aieov.com/logo.gif
unknown
malicious
POST
204
2.16.204.146:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.37.237.227:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3696
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber.exe
72.14.185.43:80
www.aieov.com
Linode, LLC
US
malicious
188
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
2.16.204.152:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.48.23.141
  • 23.48.23.149
  • 23.48.23.137
  • 23.48.23.145
  • 23.48.23.146
  • 23.48.23.134
  • 23.48.23.138
  • 23.48.23.192
  • 23.48.23.191
whitelisted
www.microsoft.com
  • 23.37.237.227
whitelisted
5isohu.com
whitelisted
www.aieov.com
  • 72.14.185.43
  • 173.255.194.134
  • 45.33.30.197
  • 45.33.18.44
  • 45.79.19.196
  • 45.33.2.79
  • 198.58.118.167
  • 45.56.79.23
  • 96.126.123.244
  • 72.14.178.174
  • 45.33.20.235
  • 45.33.23.183
malicious
www.bing.com
  • 2.16.204.152
  • 2.16.204.156
  • 2.16.204.160
  • 2.16.204.138
  • 2.16.204.142
  • 2.16.204.135
  • 2.16.204.145
  • 2.16.204.161
  • 2.16.204.158
whitelisted
self.events.data.microsoft.com
  • 20.189.173.10
whitelisted

Threats

Found threats are available for the paid subscriptions
6 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-01-10_eccd750b599a15690119fbd270198a90_floxif_magniber