MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 370f02f43627b6fe3f9bcf97f89768950912196948f9d8a33226054b24a435b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Floxif

Vendor detections: 15

Intelligence 15 IOCs YARA 17 File information Comments

SHA256 hash:	370f02f43627b6fe3f9bcf97f89768950912196948f9d8a33226054b24a435b1
SHA3-384 hash:	cc86000911341110f3a6faa8c232700e82416346df958fd4ed86f820e4d177585fa362d41963a8539b302d2a5f58b3b2
SHA1 hash:	42008400c99c1ffd1420d341b3e83dc7281fc517
MD5 hash:	487abbc071ff53717ead88d63fd98d76
humanhash:	nebraska-jupiter-october-hot
File name:	250427-s1s47awl17.bin
Download:	download sample
Signature	Floxif Create hunting rule
File size:	2'924'495 bytes
First seen:	2025-04-27 15:41:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0a22378d04d7508437ae8519c3c77e41 (3 x Floxif)
ssdeep	49152:7J/7yQHQipzLZbTMhu3dhqd38H8QKJbXTBQ4vFD3Tf0guMCqxqoyQ4hDM4h:7J/BpzLZbTOufqd3o8QgDHvd3z0guMCb
Threatray	3 similar samples on MalwareBazaar
TLSH	T1A9D59E22B6D58037D6330372992DB36964BDBE700A3582CBB3D41E2D2D719C29A39777
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	71c898b4cce6d070 (3 x Floxif)
Reporter	UNP4CK
Tags:	Floxif

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

250427-s1s47awl17.bin

Verdict:

Malicious activity

Analysis date:

2025-04-27 15:49:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0704954a-4207-4751-a5b7-6fd4aeacd2c3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

FloodFix

Link:

https://www.capesandbox.com/analysis/4330/

Detection(s):

Win.Virus.Pioneer-9111434-0

MiscreantPunch.SingleXOR.EXE.197.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=680e5347c8b2e86d0ac340e1

Tags:

obfuscated floxif virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file

Creating a file in the Program Files subdirectories

Replacing executable files

DNS request

Connection attempt

Sending an HTTP GET request

Сreating synchronization primitives

Creating a window

Creating a file in the mass storage device

Infecting executable files

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context crypto disk entropy explorer fingerprint keylogger lolbin masquerade microsoft_visual_cc obfuscated overlay overlay packed packed rat virtual xor-pe

Link:

https://www.filescan.io/uploads/680e505d218c4a98ade3f19c/reports/696a819f-f3d8-43f1-8e1c-efc236eb4a81/overview

Verdict:

Malicious

Labled as:

Virus.Floxif

Link:

https://www.hybrid-analysis.com/sample/370f02f43627b6fe3f9bcf97f89768950912196948f9d8a33226054b24a435b1

Malware family:

Floxif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2669c2a9-aa0e-42b0-af5e-1139fd8969c1

Result

Threat name:

FloodFix, GhostRat

Detection:

malicious

Classification:

spre.troj

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1675522

Signature

Allows loading of unsigned dll using appinit_dll

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Creates an undocumented autostart registry key

Infects executable files (exe, dll, sys, html)

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FloodFix

Yara detected GhostRat

Behaviour

Behavior Graph:

Download SVG

Score:

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/370f02f43627b6fe3f9bcf97f89768950912196948f9d8a33226054b24a435b1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/370f02f43627b6fe3f9bcf97f89768950912196948f9d8a33226054b24a435b1/

Threat name:

Win32.Virus.Floxif

Status:

Malicious

First seen:

2025-04-27 12:53:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g4hqf5bwe63p4p43z6l7rf3isueregljjd45rizseycuwjfegwyq._file

Verdict:

malicious

Label(s):

floxif

Floxif

370f02f43627b6fe3f9bcf97f89768950912196948f9d8a33226054b24a435b1

Floxif

error

Floxif

Result

Malware family:

floxif

Score:

10/10

Tags:

family:floxif backdoor discovery persistence privilege_escalation trojan upx

Link:

https://tria.ge/reports/250427-s5g8gstsbv/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

System Location Discovery: System Language Discovery

Drops file in Program Files directory

UPX packed file

Enumerates connected drives

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Event Triggered Execution: AppInit DLLs

Detects Floxif payload

Floxif family

Floxif, Floodfix

Verdict:

Malicious

Tags:

trojan floxif Win.Virus.Pioneer-9111434-0

YARA:

Windows_Virus_Floxif_493d1897

Link:

https://app.threat.zone/submission/1ea088d7-8b3d-44ac-acf0-940e6b17f3c3

Unpacked files

SH256 hash:

370f02f43627b6fe3f9bcf97f89768950912196948f9d8a33226054b24a435b1

MD5 hash:

487abbc071ff53717ead88d63fd98d76

SHA1 hash:

42008400c99c1ffd1420d341b3e83dc7281fc517

Link:

https://www.unpac.me/results/8e36fdfb-68d6-4f40-8df1-0fd2fb668ce2/

Malware family:

Floxif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/370f02f43627/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_FloodFix Create hunting rule
Author:	ditekSHen
Description:	Detects FloodFix

Rule name:	MAL_Floxif_Generic Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Floxif Malware
Reference:	Internal Research

Rule name:	MAL_Floxif_Generic_RID2DCE Create hunting rule
Author:	Florian Roth
Description:	Detects Floxif Malware
Reference:	Internal Research

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	SUSP_Microsoft_Copyright_String_Anomaly_2 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Floxif Malware
Reference:	Internal Research

Rule name:	SUSP_Microsoft_Copyright_String_Anomaly_2_RID3720 Create hunting rule
Author:	Florian Roth
Description:	Detects Floxif Malware
Reference:	Internal Research

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	Windows_Virus_Floxif_493d1897 Create hunting rule
Author:	Elastic Security

Rule name:	win_floxif_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.floxif.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/4330/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW ADVAPI32.dll::RevertToSelf ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoFreeUnusedLibraries ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal
DP_API	Uses DP API	CRYPT32.dll::CryptUnprotectData
GDI_PLUS_API	Interfaces with Graphics	gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipDeleteGraphics gdiplus.dll::GdipAlloc gdiplus.dll::GdipCreateFromHDC
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::PlaySoundW
RPC_API	Can Execute Remote Procedures	RPCRT4.dll::RpcStringFreeA
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateToken ADVAPI32.dll::ImpersonateLoggedOnUser ADVAPI32.dll::SetSecurityDescriptorDacl
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle IPHLPAPI.DLL::IcmpCloseHandle WININET.dll::InternetCloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetVolumeInformationW KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileMappingW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::DeleteFileW
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LookupPrivilegeValueW
WIN_CRYPT_API	Uses Windows Crypt API	CRYPT32.dll::CertAddEncodedCertificateToStore CRYPT32.dll::CertDeleteCertificateFromStore CRYPT32.dll::CertOpenStore ADVAPI32.dll::CryptAcquireContextW ADVAPI32.dll::CryptCreateHash ADVAPI32.dll::CryptGetHashParam
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryInfoKeyW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegQueryValueW
WIN_SOCK_API	Uses Network to send and receive data	WS2_32.dll::freeaddrinfo WS2_32.dll::getaddrinfo WS2_32.dll::WSAAddressToStringW WS2_32.dll::WSACloseEvent WS2_32.dll::WSAConnect WS2_32.dll::WSACreateEvent
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuW USER32.dll::CloseDesktop USER32.dll::CreateMenu ole32.dll::OleCreateMenuDescriptor USER32.dll::EmptyClipboard USER32.dll::OpenClipboard

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample