MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a831200151eb0fb1191eeb1ec85a0006acaeaeb834e3150c63b2ddfc7eb9fca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Floxif

Vendor detections: 17

Intelligence 17 IOCs YARA 10 File information Comments

SHA256 hash:	9a831200151eb0fb1191eeb1ec85a0006acaeaeb834e3150c63b2ddfc7eb9fca
SHA3-384 hash:	25b1bd254c48f44932bf362bd4711523541524ea6b5ccd0bdccffb8c8946f03fec74e20927a749f3c147203de6334ede
SHA1 hash:	a9e03b04ef1a21c272bba131f794e1110ccf5edb
MD5 hash:	a13f42ed90fbaf9a0d8576eb8105177d
humanhash:	football-black-august-lamp
File name:	250428-ffwy5asvcz.bin
Download:	download sample
Signature	Floxif Create hunting rule
File size:	16'152'007 bytes
First seen:	2025-04-28 04:55:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep	393216:y2fyklp+dkBSuF2SfUfn6tX5MTwhGW+N7MbIT1uGYvPsQ:rnp+Ty2SfUfn2F+N7MbIBw
Threatray	402 similar samples on MalwareBazaar
TLSH	T1EFF63332B2D0417BC2630635EC5AE6546C3E7A283F24589B67D86D4D1F3E2932AF7253
TrID	93.3% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.4% (.EXE) Win64 Executable (generic) (10522/11/4) 1.4% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	b2e1b496a6cada72 (13 x LummaStealer, 12 x AsyncRAT, 8 x Rhadamanthys)
Reporter	UNP4CK
Tags:	Floxif

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2025-04-28_a13f42ed90fbaf9a0d8576eb8105177d_amadey_darkgate_elex_floxif_smoke-loader

Verdict:

Malicious activity

Analysis date:

2025-04-28 04:49:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4df1107d-55d0-4f70-8ba2-cdb1eb9c5cc3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

FloodFix

Link:

https://www.capesandbox.com/analysis/4609/

Detection(s):

PUA.Win.Packer.D1s1g-5

PUA.Win.Packer.D1s1g-2

PUA.Win.Packer.D1s1g-1

Win.Virus.Pioneer-9111434-0

Win.Trojan.Emotet-9850453-0

Win.Trojan.Generic-9936029-0

Win.Malware.Delf-6899401-0

MiscreantPunch.SingleXOR.EXE.197.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=680f08d8cc5fb3600cc3bc67

Tags:

pioneer floxif virus smtp

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Creating a file in the %temp% subdirectories

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context borland_delphi cmd crypto dropper entropy evasive expand expired-cert fingerprint keylogger lolbin macros-on-open masquerade obfuscated optix overlay overlay packed packed packed packer_detected remote runonce virtual xor-pe

Link:

https://www.filescan.io/uploads/680f0a68212716475fafb7c1/reports/1e689d92-4574-4798-8469-667bd3ba486f/overview

Verdict:

Malicious

Labled as:

Virus.Floxif

Link:

https://www.hybrid-analysis.com/sample/9a831200151eb0fb1191eeb1ec85a0006acaeaeb834e3150c63b2ddfc7eb9fca

Malware family:

Floxif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3c7df1ae-d0d6-4181-86b0-bc14988e9b5e

Result

Threat name:

FloodFix, GhostRat, XRed

Detection:

malicious

Classification:

spre.troj

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1675932

Signature

Allows loading of unsigned dll using appinit_dll

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Found malware configuration

Infects executable files (exe, dll, sys, html)

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Overwrites code with function prologues

Suricata IDS alerts for network traffic

Yara detected FloodFix

Yara detected GhostRat

Yara detected XRed

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9a831200151eb0fb1191eeb1ec85a0006acaeaeb834e3150c63b2ddfc7eb9fca

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9a831200151eb0fb1191eeb1ec85a0006acaeaeb834e3150c63b2ddfc7eb9fca/

Threat name:

Win32.Virus.Floxif

Status:

Malicious

First seen:

2025-04-28 04:49:30 UTC

File Type:

PE (Exe)

Extracted files:

42385

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tkbreaavd2ypwemr52y6zbnaabvmv2xlqnhdcugghmw57r7lt7fa._file

Verdict:

malicious

Label(s):

darkcomet

floxif

Floxif

3bc49481b663efe411b453cafe3b2f72fcb0e979a0823f73f6902bc6de90df02

Floxif

5bcc445ac2d4f58aee6bf7c5c10f34136cdee1228f0faa3ded35f88b2c5d1073

Floxif

807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e

Floxif

9cc8ee5bceb4329db551ab0f1c20ddc51feb6ad3f07f876e911e61b1c632664d

Floxif

error

Floxif

+ 392 additional samples on MalwareBazaar

Result

Malware family:

xred

Score:

10/10

Tags:

family:floxif family:xred backdoor discovery persistence privilege_escalation trojan upx

Link:

https://tria.ge/reports/250428-fkp2dasxax/

Behaviour

Suspicious use of AdjustPrivilegeToken

Program crash

System Location Discovery: System Language Discovery

Drops file in Program Files directory

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Event Triggered Execution: AppInit DLLs

Detects Floxif payload

Floxif family

Floxif, Floodfix

Xred

Xred family

Malware Config

C2 Extraction:

xred.mooo.com

Verdict:

Malicious

Tags:

backdoor xred_backdoor trojan floxif Win.Virus.Pioneer-9111434-0

YARA:

mal_xred_backdoor Windows_Virus_Floxif_493d1897

Link:

https://app.threat.zone/submission/ae61f61c-d26b-461c-ab23-60f4f04ccc31

Unpacked files

SH256 hash:

f0ed4362423cf6f5f12bd27848f292400c2ef224168c2b11714f0b91a7ad7388

MD5 hash:

b5a172872e187e97172a6e6b4ffc1a91

SHA1 hash:

99040fd78a3142f3cd5db2d283ef68c695364a6c

Link:

https://www.unpac.me/results/e73b59ca-f3b4-4a98-95ed-f2410437c1e0/

SH256 hash:

a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

MD5 hash:

4d20a950a3571d11236482754b4a8e76

SHA1 hash:

e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

Link:

https://www.unpac.me/results/e73b59ca-f3b4-4a98-95ed-f2410437c1e0/

SH256 hash:

5e18fe2bfdd7e4d026aec302e6d1770d2d654354c6d575d88362122ba6177c81

MD5 hash:

3fbafda5a49aea41ef923495cc24e3e2

SHA1 hash:

b20b376939e41978fae8476142336bbd62cfca93

Link:

https://www.unpac.me/results/e73b59ca-f3b4-4a98-95ed-f2410437c1e0/

SH256 hash:

b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2

MD5 hash:

c0ef4d6237d106bf51c8884d57953f92

SHA1 hash:

f1da7ecbbee32878c19e53c7528c8a7a775418eb

Link:

https://www.unpac.me/results/e73b59ca-f3b4-4a98-95ed-f2410437c1e0/

SH256 hash:

9b430cf0279ea266bee0497fd21628c65442342d6270a8f7918522fa4fe9c387

MD5 hash:

f598b6379f84e43532b6adc2198bfd9c

SHA1 hash:

73fcd6e681a26ab2ea356a9b951a8557bbc43f4c

Detections:

win_floxif_auto

Floxif

MAL_Floxif_Generic

SUSP_Microsoft_Copyright_String_Anomaly_2

MALWARE_Win_FloodFix

Link:

https://www.unpac.me/results/e73b59ca-f3b4-4a98-95ed-f2410437c1e0/

Parent samples :

ed61a0c490e5b16ba93721a48865fb3312c314d2b42df1c45c997e2347e0fbea
5824816c15c14812f8d8fe64a2317520ac6e1e96f59d4477aacbaff84d706718
8603a6629d84f5151f3c14463f58a86b24baff50280fa66cc26c086e3211b89f
fd05a5d4e619781f5e1affdfb88dfd117b616df12c8c42e8f05fbcc24ebcfaae
aed65c4e500b4d5da1b557da1b4c7d916868aa100f0b0eab243892036422a3db
e40e040b7604a94d6f9db5175e1a1cc4eb762c035c90ba49f952e723a9c8258a
d014b70080dc2525f222f7eb5aa8c97b35ac366f2c1ad0e0b656f7879d4cb4a1
038d79354607ff85b37621bed1e5e33c68ae21b483730b0e6067abcdd5276c9a
ea201b8fe8ee9d0514b5cc3e273e02b1a06872ebadec937a57285c049de1854d
e58eb39c66efd238b3d957301383ab74099577cf79204d0f7ead51d9cb9c4b1c
56f790633aa97cca376318d0f6f9055ac17c0f102e12f2bf6f078b361c316aa3
e0b7c369ac7cd497c804fe503a65a76606fabed39db60c117ad196607f9c8aa4
3672c48abefd98e598090174265dc3051ff712838e7214ed009c6fcfede22654
a74ee1dbb1120582708462beadf602396c36e9738b150bbf21bdfce09ecd7538
c4e805cafe001cbf1ede9535183d4101c0c2409a8c0ee7debd74ccda64d827f1
6df588b4ad822707978cdc32b85764c300895f946f6581d529b6b9fe086ae706
f7deee99b91289f666e2f0f0043b7330e2c28e88cb319b44c2d1c4499ff9f45f
ee1c03beade3bc4d590fc2a208b7b4006a8918576f992b348c5488c61e7b3dc5
09e3afe1513862f13cc241700fa5f8e4084fee568bc0b12044c94bc458b6b36c
95eb3c2415875d0898a9a206222d25138e0261b4188be73bc6edd965dbe207a5
a419c37fe7f832d9c6541d699124426071b30de1c0e0c9754d0af85cba0ed021
fe1e5468f98a5abe64a3a98a801078fb61fcf393eb8c63ca153275d4f9c61655
29cfbcef98823aabf25d4bc612e9991ce971d7546f4d4660505eb75bbdc57eb8
9cc8ee5bceb4329db551ab0f1c20ddc51feb6ad3f07f876e911e61b1c632664d
9a831200151eb0fb1191eeb1ec85a0006acaeaeb834e3150c63b2ddfc7eb9fca
1886c8a0b8111446cc2f76dd0394264c14a8ae5f53e3dcbe7399c43e71b1b1f7
791a4219e0a98665d6abe5f0267c03499bd8d842c894daaac554f5e3200bc5fb
ce40e5f365dc4a4af4688ebfc262edbdb129fdab31de51f6e67f7fa52fe9fc2a
99d9b3e49c9eaed0615aaf6289a235ff9f39cb5c3b7382d6f51304a6ec04594a

SH256 hash:

9a831200151eb0fb1191eeb1ec85a0006acaeaeb834e3150c63b2ddfc7eb9fca

MD5 hash:

a13f42ed90fbaf9a0d8576eb8105177d

SHA1 hash:

a9e03b04ef1a21c272bba131f794e1110ccf5edb

Link:

https://www.unpac.me/results/e73b59ca-f3b4-4a98-95ed-f2410437c1e0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9a831200151eb0fb1191eeb1ec85a0006acaeaeb834e3150c63b2ddfc7eb9fca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	D1S1Gv11betaD1N Create hunting rule
Author:	malware-lu

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

Rule name:	Windows_Virus_Floxif_493d1897 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/4609/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges
SHELL_API	Manipulates System Shell	shell32.dll::ShellExecuteExA
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessA advapi32.dll::OpenProcessToken kernel32.dll::OpenProcess kernel32.dll::CloseHandle wininet.dll::InternetCloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::TerminateProcess kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetDriveTypeA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CopyFileA kernel32.dll::CreateDirectoryA kernel32.dll::CreateFileA kernel32.dll::CreateFileMappingA kernel32.dll::DeleteFileA kernel32.dll::MoveFileA
WIN_BASE_USER_API	Retrieves Account Information	kernel32.dll::GetComputerNameA advapi32.dll::GetUserNameA advapi32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegCreateKeyExA advapi32.dll::RegNotifyChangeKeyValue advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA advapi32.dll::RegSetValueExA
WIN_SVC_API	Can Manipulate Windows Services	advapi32.dll::OpenSCManagerA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample