MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a74ee1dbb1120582708462beadf602396c36e9738b150bbf21bdfce09ecd7538. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Floxif


Vendor detections: 14


Intelligence 14 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a74ee1dbb1120582708462beadf602396c36e9738b150bbf21bdfce09ecd7538
SHA3-384 hash: 2c3ba994334ff1ce627ee2b8bf495ecdba2ac705ded722ab75611e8bfd65758a86d604da540bfc1b4dfd7821fa52989a
SHA1 hash: 570730b79c79fdc5c531b27802fd2bc18c8c67ff
MD5 hash: 3cfa6bd7ddb7dab8ad18bc6f31c2a66c
humanhash: winter-fix-vegan-north
File name:Trojan.Danger.ATA_virussign.com_3cfa6bd7ddb7dab8ad18bc6f31c2a66c.exe
Download: download sample
Signature Floxif
Create hunting rule
File size:10'089'415 bytes
First seen:2025-03-16 23:45:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d7401947d3623a2199a2114d62923cd5 (2 x Neshta, 2 x XWorm, 1 x Sality)
ssdeep 196608:58Z6TWHHiAzuEqiJsv6tWKFdu9CgT9IF2N62YjHD:584WHHp+iJsv6tWKFdu9CD
TLSH T1B8A69EC2FA8340B2E89511B1103BA27B9A34AD154B1654DBE3EC3F59D6342E17F3B74A
TrID 51.3% (.EXE) MinGW32 C/C++ Executable (245239/59/22)
12.0% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
9.0% (.EXE) InstallShield setup (43053/19/16)
8.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
Magika pebin
dhash icon 0f7171696969710f (1 x Floxif)
Reporter 2huMarisa
Tags:exe Floxif

Intelligence

File Origin
# of uploads :
1
# of downloads :
385
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Trojan.Danger.ATA_virussign.com_3cfa6bd7ddb7dab8ad18bc6f31c2a66c.exe
Verdict:
No threats detected
Analysis date:
2025-03-16 23:49:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/168966ed-edcd-4a33-9ee9-ffcafe1bea8a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d7705d08116ce425719c9c
Tags:
jeefo artra lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the Windows directory
Creating a process from a recently created file
Modifying an executable file
Restart of the analyzed sample
Creating a service
Launching a service
Searching for synchronization primitives
Enabling autorun for a service
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
explorer lolbin obfuscated overlay packed packed packed packer_detected virus xor-pe
Link:
https://www.filescan.io/uploads/67d7628801edd28374b17faa/reports/d88f9e60-ed40-4997-8247-20396fc71c15/overview
Verdict:
Malicious
Labled as:
Jeefo.A
Link:
https://www.hybrid-analysis.com/sample/a74ee1dbb1120582708462beadf602396c36e9738b150bbf21bdfce09ecd7538
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Jeefo
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/866209d2-7140-484a-8df0-fc7d4f0b53d1
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1640116
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found evasive API chain (may stop execution after checking mutex)
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1640116 Sample: oVCgbY50zv.exe Startdate: 17/03/2025 Architecture: WINDOWS Score: 100 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 5 other signatures 2->48 7 svchost.exe 2->7         started        11 oVCgbY50zv.exe 1 2->11         started        13 svchost.exe 2->13         started        15 5 other processes 2->15 process3 dnsIp4 30 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 7->30 dropped 32 C:\ProgramData\...\VC_redist.x64.exe, PE32 7->32 dropped 34 C:\Program Files\...\helper.exe, PE32 7->34 dropped 38 53 other malicious files 7->38 dropped 54 Drops executable to a common third party application directory 7->54 56 Infects executable files (exe, dll, sys, html) 7->56 36 C:\Windows\svchost.exe, PE32 11->36 dropped 58 Multi AV Scanner detection for dropped file 11->58 60 Drops executables to the windows directory (C:\Windows) and starts them 11->60 62 Drops PE files with benign system names 11->62 18 svchost.exe 11->18         started        64 Changes security center settings (notifications, updates, antivirus, firewall) 13->64 22 MpCmdRun.exe 1 13->22         started        40 127.0.0.1 unknown unknown 15->40 file5 signatures6 process7 file8 28 C:\Users\user\Desktop\oVCgbY50zv.exe, PE32 18->28 dropped 50 Multi AV Scanner detection for dropped file 18->50 52 Found evasive API chain (may stop execution after checking mutex) 18->52 24 oVCgbY50zv.exe 18->24         started        26 conhost.exe 22->26         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a74ee1dbb1120582708462beadf602396c36e9738b150bbf21bdfce09ecd7538
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a74ee1dbb1120582708462beadf602396c36e9738b150bbf21bdfce09ecd7538/
Threat name:
Win32.Virus.Jeefo
Create hunting rule
Status:
Malicious
First seen:
2025-03-14 13:22:11 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u5hodw5rcicye4eemk7k35qchfwdn2ltrmkqxpzbxx6obhwnou4a._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250316-3rsr6sszgy/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
trojan floxif Win.Trojan.Jeefo-3
YARA:
Windows_Virus_Floxif_493d1897
Link:
https://app.threat.zone/submission/a488fca6-8221-4b16-a83e-e827bd0d2198
Unpacked files
SH256 hash:
a74ee1dbb1120582708462beadf602396c36e9738b150bbf21bdfce09ecd7538
MD5 hash:
3cfa6bd7ddb7dab8ad18bc6f31c2a66c
SHA1 hash:
570730b79c79fdc5c531b27802fd2bc18c8c67ff
Link:
https://www.unpac.me/results/fc657989-5519-4712-a05d-7b08231944ad/
SH256 hash:
1239d5bfb90ec345bea41add5b7743923ba32e9ae7dd89ac59fca9e1a4c79c5a
MD5 hash:
3ea06e7bc0d612cabff7ae3af59cbfe1
SHA1 hash:
82cead767185c4d79ba2fcd4991f4fe88bfdfd28
Link:
https://www.unpac.me/results/fc657989-5519-4712-a05d-7b08231944ad/
SH256 hash:
9b430cf0279ea266bee0497fd21628c65442342d6270a8f7918522fa4fe9c387
MD5 hash:
f598b6379f84e43532b6adc2198bfd9c
SHA1 hash:
73fcd6e681a26ab2ea356a9b951a8557bbc43f4c
Detections:
win_floxif_auto
Create hunting rule
Floxif
Create hunting rule
MAL_Floxif_Generic
Create hunting rule
SUSP_Microsoft_Copyright_String_Anomaly_2
Create hunting rule
MALWARE_Win_FloodFix
Create hunting rule
Link:
https://www.unpac.me/results/fc657989-5519-4712-a05d-7b08231944ad/
Parent samples :
ed61a0c490e5b16ba93721a48865fb3312c314d2b42df1c45c997e2347e0fbea
5824816c15c14812f8d8fe64a2317520ac6e1e96f59d4477aacbaff84d706718
8603a6629d84f5151f3c14463f58a86b24baff50280fa66cc26c086e3211b89f
fd05a5d4e619781f5e1affdfb88dfd117b616df12c8c42e8f05fbcc24ebcfaae
aed65c4e500b4d5da1b557da1b4c7d916868aa100f0b0eab243892036422a3db
e40e040b7604a94d6f9db5175e1a1cc4eb762c035c90ba49f952e723a9c8258a
d014b70080dc2525f222f7eb5aa8c97b35ac366f2c1ad0e0b656f7879d4cb4a1
038d79354607ff85b37621bed1e5e33c68ae21b483730b0e6067abcdd5276c9a
ea201b8fe8ee9d0514b5cc3e273e02b1a06872ebadec937a57285c049de1854d
e58eb39c66efd238b3d957301383ab74099577cf79204d0f7ead51d9cb9c4b1c
56f790633aa97cca376318d0f6f9055ac17c0f102e12f2bf6f078b361c316aa3
e0b7c369ac7cd497c804fe503a65a76606fabed39db60c117ad196607f9c8aa4
3672c48abefd98e598090174265dc3051ff712838e7214ed009c6fcfede22654
a74ee1dbb1120582708462beadf602396c36e9738b150bbf21bdfce09ecd7538
c4e805cafe001cbf1ede9535183d4101c0c2409a8c0ee7debd74ccda64d827f1
6df588b4ad822707978cdc32b85764c300895f946f6581d529b6b9fe086ae706
f7deee99b91289f666e2f0f0043b7330e2c28e88cb319b44c2d1c4499ff9f45f
ee1c03beade3bc4d590fc2a208b7b4006a8918576f992b348c5488c61e7b3dc5
09e3afe1513862f13cc241700fa5f8e4084fee568bc0b12044c94bc458b6b36c
95eb3c2415875d0898a9a206222d25138e0261b4188be73bc6edd965dbe207a5
a419c37fe7f832d9c6541d699124426071b30de1c0e0c9754d0af85cba0ed021
fe1e5468f98a5abe64a3a98a801078fb61fcf393eb8c63ca153275d4f9c61655
29cfbcef98823aabf25d4bc612e9991ce971d7546f4d4660505eb75bbdc57eb8
9cc8ee5bceb4329db551ab0f1c20ddc51feb6ad3f07f876e911e61b1c632664d
9a831200151eb0fb1191eeb1ec85a0006acaeaeb834e3150c63b2ddfc7eb9fca
1886c8a0b8111446cc2f76dd0394264c14a8ae5f53e3dcbe7399c43e71b1b1f7
791a4219e0a98665d6abe5f0267c03499bd8d842c894daaac554f5e3200bc5fb
ce40e5f365dc4a4af4688ebfc262edbdb129fdab31de51f6e67f7fa52fe9fc2a
99d9b3e49c9eaed0615aaf6289a235ff9f39cb5c3b7382d6f51304a6ec04594a
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a74ee1dbb1120582708462beadf602396c36e9738b150bbf21bdfce09ecd7538

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DevCv4
Create hunting rule
Author:malware-lu
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:VideoLanClient
Create hunting rule
Author:malware-lu
Rule name:W32JeefoPEFileInfector
Create hunting rule
Author:malware-lu
Rule name:Windows_Virus_Floxif_493d1897
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::FindFirstFileA
KERNEL32.dll::GetTempPathA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.DLL::RegCreateKeyExA
ADVAPI32.DLL::RegSetValueExA
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.DLL::CreateServiceA
ADVAPI32.DLL::OpenSCManagerA
ADVAPI32.DLL::OpenServiceA
ADVAPI32.DLL::RegisterServiceCtrlHandlerA
ADVAPI32.DLL::StartServiceA
ADVAPI32.DLL::StartServiceCtrlDispatcherA

Comments