MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 25ad4aab290da81d0ef7b56082261c5ba93ebd27c2d0ffa06a5d0ff5e91f1ad5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Floxif
Vendor detections: 17
| SHA256 hash: | 25ad4aab290da81d0ef7b56082261c5ba93ebd27c2d0ffa06a5d0ff5e91f1ad5 |
|---|---|
| SHA3-384 hash: | 582f2c68d1fad2cb5cafe6a99b14f218ac4ac1306d188fafadffefaf595fc1bd8338375e14ba91760a0f3c8604d0190e |
| SHA1 hash: | e848230862a4e3e581466be317e98d9f16bf525e |
| MD5 hash: | 173bfe026b9bfab35561a5e1e46f5bf5 |
| humanhash: | wisconsin-south-equal-white |
| File name: | 250427-qc9qxstn15.bin |
| Download: | download sample |
| Signature | Floxif |
| File size: | 2'924'495 bytes |
| First seen: | 2025-04-27 13:15:55 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 0a22378d04d7508437ae8519c3c77e41 (3 x Floxif) |
| ssdeep | 49152:7JB7yQHQipzLZqlTMhu3dhqd38H8QKJbXTBQ4vFD2Tf0guMCqxqoyQ4hDM4d:7JBBpzLZETOufqd3o8QgDHvd2z0guMC7 |
| Threatray | 2 similar samples on MalwareBazaar |
| TLSH | T182D59E22B6D58037D6330372992DB36964BDBE700A3582CBB3D41E2D2D719C29A39777 |
| TrID | 40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3) |
| Magika | pebin |
| dhash icon | 71c898b4cce6d070 (3 x Floxif) |
| Reporter |  UNP4CK |
| Tags: | Floxif |
Intelligence
File Origin
# of uploads :
1
# of downloads :
70
Origin country :
GBVendor Threat Intelligence
Malware family:
floxif
ID:
1
File name:
2025-04-27_173bfe026b9bfab35561a5e1e46f5bf5_bkransomware_darkgate_elex_floxif
Verdict:
Malicious activity
Analysis date:
2025-04-27 13:12:34 UTC
Tags:
floxif backdoor
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
FloodFix
Verdict:
Malicious
Score:
99.9%
Tags:
obfuscated pioneer floxif virus
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file
Creating a file in the Program Files subdirectories
Replacing executable files
DNS request
Connection attempt
Сreating synchronization primitives
Creating a window
Sending an HTTP GET request
Creating a file in the mass storage device
Infecting executable files
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
adaptive-context crypto disk entropy explorer fingerprint keylogger lolbin masquerade microsoft_visual_cc obfuscated overlay overlay packed packed rat virtual xor-pe
Verdict:
Malicious
Labled as:
Virus.Floxif
Malware family:
Floxif
Verdict:
Malicious
Result
Threat name:
FloodFix, GhostRat
Detection:
malicious
Classification:
spre.troj
Score:
100 / 100
Signature
Allows loading of unsigned dll using appinit_dll
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FloodFix
Yara detected GhostRat
Behaviour
Behavior Graph:
Score:
5%
Verdict:
Benign
File Type:
PE
Threat name:
Win32.Virus.Floxif
Status:
Malicious
First seen:
2025-04-27 12:52:00 UTC
File Type:
PE (Exe)
Extracted files:
64
AV detection:
24 of 24 (100.00%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
floxif
Result
Malware family:
floxif
Score:
10/10
Tags:
family:floxif backdoor discovery trojan upx
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Drops file in Program Files directory
UPX packed file
Enumerates connected drives
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
Detects Floxif payload
Floxif family
Floxif, Floodfix
Verdict:
Malicious
Tags:
trojan floxif Win.Virus.Pioneer-9111434-0
YARA:
Windows_Virus_Floxif_493d1897
Unpacked files
SH256 hash:
25ad4aab290da81d0ef7b56082261c5ba93ebd27c2d0ffa06a5d0ff5e91f1ad5
MD5 hash:
173bfe026b9bfab35561a5e1e46f5bf5
SHA1 hash:
e848230862a4e3e581466be317e98d9f16bf525e
Malware family:
Floxif
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Check_OutputDebugStringA_iat |
|---|
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerException__ConsoleCtrl |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | ldpreload |
|---|---|
| Author: | xorseed |
| Reference: | https://stuff.rop.io/ |
| Rule name: | MALWARE_Win_FloodFix |
|---|---|
| Author: | ditekSHen |
| Description: | Detects FloodFix |
| Rule name: | MAL_Floxif_Generic |
|---|---|
| Author: | Florian Roth (Nextron Systems) |
| Description: | Detects Floxif Malware |
| Reference: | Internal Research |
| Rule name: | MAL_Floxif_Generic_RID2DCE |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Floxif Malware |
| Reference: | Internal Research |
| Rule name: | MD5_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for MD5 constants |
| Rule name: | meth_stackstrings |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | PE_Digital_Certificate |
|---|---|
| Author: | albertzsigovits |
| Rule name: | RIPEMD160_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for RIPEMD-160 constants |
| Rule name: | SEH__vectored |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | SHA1_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for SHA1 constants |
| Rule name: | SHA512_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for SHA384/SHA512 constants |
| Rule name: | SUSP_Microsoft_Copyright_String_Anomaly_2 |
|---|---|
| Author: | Florian Roth (Nextron Systems) |
| Description: | Detects Floxif Malware |
| Reference: | Internal Research |
| Rule name: | SUSP_Microsoft_Copyright_String_Anomaly_2_RID3720 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Floxif Malware |
| Reference: | Internal Research |
| Rule name: | SUSP_XORed_MSDOS_Stub_Message |
|---|---|
| Author: | Florian Roth |
| Description: | Detects suspicious XORed MSDOS stub message |
| Reference: | https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
| Rule name: | UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser |
|---|---|
| Author: | malware-lu |
| Rule name: | Windows_Virus_Floxif_493d1897 |
|---|---|
| Author: | Elastic Security |
| Rule name: | win_floxif_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.floxif. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW ADVAPI32.dll::RevertToSelf ADVAPI32.dll::InitializeSecurityDescriptor |
| COM_BASE_API | Can Download & Execute components | ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoFreeUnusedLibraries ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal |
| DP_API | Uses DP API | CRYPT32.dll::CryptUnprotectData |
| GDI_PLUS_API | Interfaces with Graphics | gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipDeleteGraphics gdiplus.dll::GdipAlloc gdiplus.dll::GdipCreateFromHDC |
| MULTIMEDIA_API | Can Play Multimedia | WINMM.dll::PlaySoundW |
| RPC_API | Can Execute Remote Procedures | RPCRT4.dll::RpcStringFreeA |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateToken ADVAPI32.dll::ImpersonateLoggedOnUser ADVAPI32.dll::SetSecurityDescriptorDacl |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHGetFileInfoW |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CreateProcessW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle IPHLPAPI.DLL::IcmpCloseHandle WININET.dll::InternetCloseHandle |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetVolumeInformationW KERNEL32.dll::GetSystemInfo |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileMappingW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::DeleteFileW |
| WIN_BASE_USER_API | Retrieves Account Information | ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LookupPrivilegeValueW |
| WIN_CRYPT_API | Uses Windows Crypt API | CRYPT32.dll::CertAddEncodedCertificateToStore CRYPT32.dll::CertDeleteCertificateFromStore CRYPT32.dll::CertOpenStore ADVAPI32.dll::CryptAcquireContextW ADVAPI32.dll::CryptCreateHash ADVAPI32.dll::CryptGetHashParam |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryInfoKeyW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegQueryValueW |
| WIN_SOCK_API | Uses Network to send and receive data | WS2_32.dll::freeaddrinfo WS2_32.dll::getaddrinfo WS2_32.dll::WSAAddressToStringW WS2_32.dll::WSACloseEvent WS2_32.dll::WSAConnect WS2_32.dll::WSACreateEvent |
| WIN_USER_API | Performs GUI Actions | USER32.dll::AppendMenuW USER32.dll::CloseDesktop USER32.dll::CreateMenu ole32.dll::OleCreateMenuDescriptor USER32.dll::EmptyClipboard USER32.dll::OpenClipboard |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.