MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6df588b4ad822707978cdc32b85764c300895f946f6581d529b6b9fe086ae706. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Floxif


Vendor detections: 17


Intelligence 17 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6df588b4ad822707978cdc32b85764c300895f946f6581d529b6b9fe086ae706
SHA3-384 hash: 3fe1ca29e8466d08ac680bb469ad7acea7deb3ff5262ed59470fb1910d5d0276e3ba4f4a2822b86bfefedb8721d8cc11
SHA1 hash: 4281f40eae1cca7d3e5668fa468e409287837a0c
MD5 hash: 350f33b885496185a6111fbb9359c4d4
humanhash: papa-rugby-burger-hawaii
File name:250426-1c92ssslw4.bin
Download: download sample
Signature Floxif
Create hunting rule
File size:297'927 bytes
First seen:2025-04-26 21:37:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 25ef3a82d8762a40131d6de79a7d5375 (1 x Floxif)
ssdeep 6144:QqXcbj3hzIYiOAOrU7p/IgfBEBV+UdvrEFp7hKGLz:QqXcXBMpguEBjvrEH7Nz
Threatray 56 similar samples on MalwareBazaar
TLSH T18054BE11B1C1C3F6C072083038F9EAB469FDFA3D0A6E557B93D457194E2C282AA65E77
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter UNP4CK
Tags:Floxif

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2025-04-26_350f33b885496185a6111fbb9359c4d4_black-basta_elex_floxif_luca-stealer
Verdict:
Malicious activity
Analysis date:
2025-04-26 21:31:31 UTC
Tags:
auto-reg antivm upx sinkhole
Link:
https://app.any.run/tasks/ca511fab-6792-4f26-8ad3-db5ffad316ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
FloodFix
Create hunting rule
Link:
https://www.capesandbox.com/analysis/4221/
Detection(s):
Win.Virus.Pioneer-9111434-0
Create hunting rule

Win.Ransomware.Phorpiex-9783383-1
Create hunting rule

Win.Virus.Pioneer-6804573-0
Create hunting rule

MiscreantPunch.SingleXOR.EXE.197.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680d50b2c8b2e86d0ac2d792
Tags:
phorpiex phishing pioneer spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a file in the Program Files subdirectories
DNS request
Connection attempt
Sending an HTTP GET request
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Creating a process with a hidden window
Connecting to a non-recommended domain
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Connection attempt to an infection source
Query of malicious DNS domain
Enabling threat expansion on mass storage devices
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
entropy fingerprint floxif gandcrab masquerade microsoft_visual_cc obfuscated overlay overlay packed packed packed packed packer_detected threat virtual virus xor-pe
Link:
https://www.filescan.io/uploads/680d520346fe05453ca7c765/reports/cf49bca9-2200-49ba-aac0-a114ace18e64/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6df588b4ad822707978cdc32b85764c300895f946f6581d529b6b9fe086ae706
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e9f6025-5c20-4445-b9ca-078d91fa2e55
Result
Threat name:
FloodFix, GhostRat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1675183
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Creates an autostart registry key pointing to binary in C:\Windows
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after checking volume information)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected FloodFix
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1675183 Sample: 250426-1c92ssslw4.bin.exe Startdate: 26/04/2025 Architecture: WINDOWS Score: 100 52 uoaeogauhduadhug.net 2->52 54 uoaeogauhduadhug.in 2->54 56 58 other IPs or domains 2->56 58 Suricata IDS alerts for network traffic 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for URL or domain 2->62 64 8 other signatures 2->64 7 250426-1c92ssslw4.bin.exe 3 27 2->7         started        11 winsvc.exe 2->11         started        13 winsvc.exe 2->13         started        15 winsvc.exe 2->15         started        signatures3 process4 file5 38 C:\Windows\...\winsvc.exe, PE32 7->38 dropped 40 C:\Users\user\AppData\...\80B01DF41DE4.tmp, PE32 7->40 dropped 42 C:\ProgramData\Microsoft\...\MpOav.dll (copy), PE32 7->42 dropped 44 44 other malicious files 7->44 dropped 74 Drops executables to the windows directory (C:\Windows) and starts them 7->74 76 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->76 78 Creates an autostart registry key pointing to binary in C:\Windows 7->78 80 2 other signatures 7->80 17 winsvc.exe 31 7->17         started        22 WerFault.exe 2 7->22         started        24 WerFault.exe 21 11->24         started        26 WerFault.exe 21 13->26         started        28 WerFault.exe 3 21 15->28         started        signatures6 process7 dnsIp8 46 eoufaoeuhoauengi.su 185.215.113.66, 49700, 80 WHOLESALECONNECTIONSNL Portugal 17->46 48 92.63.197.60, 80 NOVOGARA-ASNL Russian Federation 17->48 50 14 other IPs or domains 17->50 30 C:\Users\user\AppData\...\165711079834639.exe, PE32 17->30 dropped 66 Multi AV Scanner detection for dropped file 17->66 68 Detected unpacking (changes PE section rights) 17->68 70 Detected unpacking (overwrites its own PE header) 17->70 72 4 other signatures 17->72 32 C:\ProgramData\Microsoft\...\Report.wer, Unicode 24->32 dropped 34 C:\ProgramData\Microsoft\...\Report.wer, Unicode 26->34 dropped 36 C:\ProgramData\Microsoft\...\Report.wer, Unicode 28->36 dropped file9 signatures10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6df588b4ad822707978cdc32b85764c300895f946f6581d529b6b9fe086ae706
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6df588b4ad822707978cdc32b85764c300895f946f6581d529b6b9fe086ae706/
Threat name:
Win32.Virus.Floxif
Create hunting rule
Status:
Malicious
First seen:
2021-09-10 23:56:00 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
36 of 36 (100.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
shellcode_loader_003
Create hunting rule
floxif
Create hunting rule
phorpiex
Create hunting rule
Similar samples:
3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a
Floxif
4bf40544a1ffc64b6b26b5f24d8f624b7260cc40b34566b3463cae817bf7b612
Floxif
757bf8be40693456e7cdee5c53416d1cb223da5f7d0b9d55f4aca95f6a57605d
Floxif
8de13f64aab532c0bbd3d38cc821ba6fa67ccfadde9cffd14944cc9d85830f4a
Floxif
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1
Floxif
error
Floxif
fa6fcf2e154c0b18b12ab86267ccd38d79cc9c27e7e261a7e9201a0a9dd9d0bb
Floxif
fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700
Floxif
+ 46 additional samples on MalwareBazaar
Result
Malware family:
floxif
Create hunting rule
Score:
  10/10
Tags:
family:floxif backdoor discovery persistence privilege_escalation trojan upx
Link:
https://tria.ge/reports/250426-1ghs4szthy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
UPX packed file
Adds Run key to start application
Enumerates connected drives
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Loads dropped DLL
Event Triggered Execution: AppInit DLLs
Detects Floxif payload
Floxif family
Floxif, Floodfix
Verdict:
Malicious
Tags:
trojan floxif dll Win.Virus.Pioneer-9111434-0
YARA:
Windows_Virus_Floxif_493d1897 Malware_Floxif_mpsvc_dll
Link:
https://app.threat.zone/submission/4f83398f-9a80-4b07-a4a5-cbe209923077
Unpacked files
SH256 hash:
6df588b4ad822707978cdc32b85764c300895f946f6581d529b6b9fe086ae706
MD5 hash:
350f33b885496185a6111fbb9359c4d4
SHA1 hash:
4281f40eae1cca7d3e5668fa468e409287837a0c
Link:
https://www.unpac.me/results/ea80fd1a-cc79-4925-9085-9943826c5ded/
SH256 hash:
39c89737d2d3745292d7bfe4a2428ca8bbb0c4f2e3eaf59b20aeae74b57edff0
MD5 hash:
5f94225225a6c8b4a7648db78b6935e9
SHA1 hash:
cbb0dca928d683d298ba9ff96763e166c9a1bd5f
Detections:
win_phorpiex_g1
Create hunting rule
win_phorpiex_auto
Create hunting rule
win_phorpiex_a
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/ea80fd1a-cc79-4925-9085-9943826c5ded/
SH256 hash:
9b430cf0279ea266bee0497fd21628c65442342d6270a8f7918522fa4fe9c387
MD5 hash:
f598b6379f84e43532b6adc2198bfd9c
SHA1 hash:
73fcd6e681a26ab2ea356a9b951a8557bbc43f4c
Detections:
win_floxif_auto
Create hunting rule
Floxif
Create hunting rule
MAL_Floxif_Generic
Create hunting rule
SUSP_Microsoft_Copyright_String_Anomaly_2
Create hunting rule
MALWARE_Win_FloodFix
Create hunting rule
Link:
https://www.unpac.me/results/ea80fd1a-cc79-4925-9085-9943826c5ded/
Parent samples :
ed61a0c490e5b16ba93721a48865fb3312c314d2b42df1c45c997e2347e0fbea
5824816c15c14812f8d8fe64a2317520ac6e1e96f59d4477aacbaff84d706718
8603a6629d84f5151f3c14463f58a86b24baff50280fa66cc26c086e3211b89f
fd05a5d4e619781f5e1affdfb88dfd117b616df12c8c42e8f05fbcc24ebcfaae
aed65c4e500b4d5da1b557da1b4c7d916868aa100f0b0eab243892036422a3db
e40e040b7604a94d6f9db5175e1a1cc4eb762c035c90ba49f952e723a9c8258a
d014b70080dc2525f222f7eb5aa8c97b35ac366f2c1ad0e0b656f7879d4cb4a1
038d79354607ff85b37621bed1e5e33c68ae21b483730b0e6067abcdd5276c9a
ea201b8fe8ee9d0514b5cc3e273e02b1a06872ebadec937a57285c049de1854d
e58eb39c66efd238b3d957301383ab74099577cf79204d0f7ead51d9cb9c4b1c
56f790633aa97cca376318d0f6f9055ac17c0f102e12f2bf6f078b361c316aa3
e0b7c369ac7cd497c804fe503a65a76606fabed39db60c117ad196607f9c8aa4
3672c48abefd98e598090174265dc3051ff712838e7214ed009c6fcfede22654
a74ee1dbb1120582708462beadf602396c36e9738b150bbf21bdfce09ecd7538
c4e805cafe001cbf1ede9535183d4101c0c2409a8c0ee7debd74ccda64d827f1
6df588b4ad822707978cdc32b85764c300895f946f6581d529b6b9fe086ae706
f7deee99b91289f666e2f0f0043b7330e2c28e88cb319b44c2d1c4499ff9f45f
ee1c03beade3bc4d590fc2a208b7b4006a8918576f992b348c5488c61e7b3dc5
09e3afe1513862f13cc241700fa5f8e4084fee568bc0b12044c94bc458b6b36c
95eb3c2415875d0898a9a206222d25138e0261b4188be73bc6edd965dbe207a5
a419c37fe7f832d9c6541d699124426071b30de1c0e0c9754d0af85cba0ed021
fe1e5468f98a5abe64a3a98a801078fb61fcf393eb8c63ca153275d4f9c61655
29cfbcef98823aabf25d4bc612e9991ce971d7546f4d4660505eb75bbdc57eb8
9cc8ee5bceb4329db551ab0f1c20ddc51feb6ad3f07f876e911e61b1c632664d
9a831200151eb0fb1191eeb1ec85a0006acaeaeb834e3150c63b2ddfc7eb9fca
1886c8a0b8111446cc2f76dd0394264c14a8ae5f53e3dcbe7399c43e71b1b1f7
791a4219e0a98665d6abe5f0267c03499bd8d842c894daaac554f5e3200bc5fb
ce40e5f365dc4a4af4688ebfc262edbdb129fdab31de51f6e67f7fa52fe9fc2a
99d9b3e49c9eaed0615aaf6289a235ff9f39cb5c3b7382d6f51304a6ec04594a
Malware family:
Floxif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6df588b4ad82/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6df588b4ad822707978cdc32b85764c300895f946f6581d529b6b9fe086ae706

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Dlls
Create hunting rule
Rule name:Check_Wine
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:Malware_Floxif_mpsvc_dll
Create hunting rule
Author:Florian Roth
Description:Malware - Floxif
Reference:Internal Research
Rule name:Malware_Floxif_mpsvc_dll
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Malware - Floxif
Reference:Internal Research
Rule name:Malware_Floxif_mpsvc_dll_RID30C4
Create hunting rule
Author:Florian Roth
Description:Malware - Floxif
Reference:Internal Research
Rule name:MAL_Floxif_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Floxif Malware
Reference:Internal Research
Rule name:MAL_Floxif_Generic_RID2DCE
Create hunting rule
Author:Florian Roth
Description:Detects Floxif Malware
Reference:Internal Research
Rule name:SUSP_Microsoft_Copyright_String_Anomaly_2
Create hunting rule
Author:Florian Roth
Description:Detects Floxif Malware
Reference:Internal Research
Rule name:SUSP_Microsoft_Copyright_String_Anomaly_2_RID3720
Create hunting rule
Author:Florian Roth
Description:Detects Floxif Malware
Reference:Internal Research
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Virus_Floxif_493d1897
Create hunting rule
Author:Elastic Security
Rule name:win_phorpiex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.phorpiex.
Rule name:win_phorpiex_a_84fc
Create hunting rule
Author:Johannes Bader
Description:detects unpacked Phorpiex samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/4221/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleOutputCP
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments