Cuckoo Sandbox

File 9d25d4f0ff4f8d431ec2f626713872ce63abfbba7b2652cf903bb8df90aa9820

Summary
Download Resubmit sample

Size	59.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`eb699b7c1d982d19e38eedbaa94dc2ee`
SHA1	`1b7d8a758cf22107df58b9ca680cc68ec8877c99`
SHA256	`9d25d4f0ff4f8d431ec2f626713872ce63abfbba7b2652cf903bb8df90aa9820`
SHA512	`3c3a6b86e26828f25a52811c81712c87304104861770de40e3a204bcb29badde81990746f2b31e6aadd67047d126dab5beda7b28b22e2369eb6f167054cb8aca`
CRC32	`CFEDFD70`
ssdeep	`None`
Yara	UPX - (no description) suspicious_packer_section - The packer/protector section names/keywords MAL_Floxif_Generic - Detects Floxif Malware CrowdStrike_Floxif_Packed - Detects the UPX-packed version of the Floxif file infecting virus. win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile SUSP_Microsoft_Copyright_String_Anomaly_2 - Detects Floxif Malware

Score

This file is very suspicious, with a score of 9.4 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	June 30, 2025, 5:46 p.m.	June 30, 2025, 5:48 p.m.	113 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-06-23 02:28:55,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpsftntc
2025-06-23 02:28:55,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\bChWZaJWGBkiqzzfyJPJIroaUSqSg
2025-06-23 02:28:55,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\dRCnrUiHFxgvmddhR
2025-06-23 02:28:55,375 [analyzer] DEBUG: Started auxiliary module Curtain
2025-06-23 02:28:55,375 [analyzer] DEBUG: Started auxiliary module DbgView
2025-06-23 02:28:55,828 [analyzer] DEBUG: Started auxiliary module Disguise
2025-06-23 02:28:56,092 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-06-23 02:28:56,092 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-06-23 02:28:56,092 [analyzer] DEBUG: Started auxiliary module Human
2025-06-23 02:28:56,092 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-06-23 02:28:56,108 [analyzer] DEBUG: Started auxiliary module Reboot
2025-06-23 02:28:56,250 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-06-23 02:28:56,250 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-06-23 02:28:56,250 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-06-23 02:28:56,250 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-06-23 02:28:56,328 [lib.api.process] INFO: Successfully executed process from path 'C:\\Windows\\System32\\rundll32.exe' with arguments [u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\9d25d4f0ff4f8d431ec2f626713872ce63abfbba7b2652cf903bb8df90aa9820.dll,DllMain'] and pid 2892
2025-06-23 02:28:56,546 [analyzer] DEBUG: Loaded monitor into process with pid 2892
2025-06-23 02:28:56,796 [analyzer] INFO: Injected into process with pid 1132 and name u'rundll32.exe'
2025-06-23 02:28:57,062 [analyzer] DEBUG: Loaded monitor into process with pid 1132
2025-06-23 02:29:25,375 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-06-23 02:29:25,750 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-06-23 02:29:25,750 [lib.api.process] INFO: Successfully terminated process with pid 2892.
2025-06-23 02:29:25,750 [lib.api.process] INFO: Successfully terminated process with pid 1132.
2025-06-23 02:29:25,750 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-06-30 17:46:28,807 [cuckoo.core.scheduler] INFO: Task #6620403: acquired machine win7x6421 (label=win7x6421)
2025-06-30 17:46:28,809 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.221 for task #6620403
2025-06-30 17:46:29,093 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3215566 (interface=vboxnet0, host=192.168.168.221)
2025-06-30 17:46:29,141 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6421
2025-06-30 17:46:29,656 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6421 to vmcloak
2025-06-30 17:46:53,934 [cuckoo.core.guest] INFO: Starting analysis #6620403 on guest (id=win7x6421, ip=192.168.168.221)
2025-06-30 17:46:54,940 [cuckoo.core.guest] DEBUG: win7x6421: not ready yet
2025-06-30 17:46:59,975 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6421, ip=192.168.168.221)
2025-06-30 17:47:00,065 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6421, ip=192.168.168.221, monitor=latest, size=6660546)
2025-06-30 17:47:01,347 [cuckoo.core.resultserver] DEBUG: Task #6620403: live log analysis.log initialized.
2025-06-30 17:47:02,400 [cuckoo.core.resultserver] DEBUG: Task #6620403 is sending a BSON stream
2025-06-30 17:47:02,775 [cuckoo.core.resultserver] DEBUG: Task #6620403 is sending a BSON stream
2025-06-30 17:47:03,352 [cuckoo.core.resultserver] DEBUG: Task #6620403 is sending a BSON stream
2025-06-30 17:47:03,983 [cuckoo.core.resultserver] DEBUG: Task #6620403: File upload for 'shots/0001.jpg'
2025-06-30 17:47:04,000 [cuckoo.core.resultserver] DEBUG: Task #6620403 uploaded file length: 137599
2025-06-30 17:47:16,109 [cuckoo.core.guest] DEBUG: win7x6421: analysis #6620403 still processing
2025-06-30 17:47:31,234 [cuckoo.core.guest] DEBUG: win7x6421: analysis #6620403 still processing
2025-06-30 17:47:31,981 [cuckoo.core.resultserver] DEBUG: Task #6620403: File upload for 'curtain/1750638565.61.curtain.log'
2025-06-30 17:47:31,984 [cuckoo.core.resultserver] DEBUG: Task #6620403 uploaded file length: 36
2025-06-30 17:47:32,122 [cuckoo.core.resultserver] DEBUG: Task #6620403: File upload for 'sysmon/1750638565.75.sysmon.xml'
2025-06-30 17:47:32,129 [cuckoo.core.resultserver] DEBUG: Task #6620403 uploaded file length: 529432
2025-06-30 17:47:32,978 [cuckoo.core.resultserver] DEBUG: Task #6620403: File upload for 'shots/0002.jpg'
2025-06-30 17:47:32,992 [cuckoo.core.resultserver] DEBUG: Task #6620403 uploaded file length: 133479
2025-06-30 17:47:33,006 [cuckoo.core.resultserver] DEBUG: Task #6620403 had connection reset for <Context for LOG>
2025-06-30 17:47:34,248 [cuckoo.core.guest] INFO: win7x6421: analysis completed successfully
2025-06-30 17:47:34,262 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-06-30 17:47:34,286 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-06-30 17:47:34,985 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6421 to path /srv/cuckoo/cwd/storage/analyses/6620403/memory.dmp
2025-06-30 17:47:34,986 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6421
2025-06-30 17:48:08,282 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.221 for task #6620403
2025-06-30 17:48:08,728 [cuckoo.core.scheduler] DEBUG: Released database task #6620403
2025-06-30 17:48:08,747 [cuckoo.core.scheduler] INFO: Task #6620403: analysis procedure completed

Signatures

Yara rules detected for file (8 events)

description	(no description)	rule	UPX
description	The packer/protector section names/keywords	rule	suspicious_packer_section
description	Detects Floxif Malware	rule	MAL_Floxif_Generic
description	Detects the UPX-packed version of the Floxif file infecting virus.	rule	CrowdStrike_Floxif_Packed
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation
description	Detects Floxif Malware	rule	SUSP_Microsoft_Copyright_String_Anomaly_2

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 23, 2025, 3:28 a.m.	stacktrace: RtlEncodeSystemPointer+0x33d RtlFindClearBits-0x484 ntdll+0x3e41b @ 0x76f5e41b RtlSetBits+0x115 RtlFlsAlloc-0x5e ntdll+0x3eabb @ 0x76f5eabb RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3eb08 @ 0x76f5eb08 RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3ea03 @ 0x76f5ea03 LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d72f @ 0x76f5d72f LdrLoadDll+0x7b _strcmpi-0x305 ntdll+0x3c558 @ 0x76f5c558 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x737dd4cf LoadLibraryExW+0x1f1 LoadLibraryExA-0x37 kernelbase+0x12c95 @ 0x752c2c95 rundll32+0x14ed @ 0x6914ed rundll32+0x1baf @ 0x691baf rundll32+0x12e8 @ 0x6912e8 rundll32+0x1901 @ 0x691901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x769033aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x76f59f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x76f59f45 exception.instruction_r: 0f b7 00 89 45 cc 0f b7 c0 3b 46 18 73 42 8b 0c exception.symbol: LdrGetDllHandleEx+0x3b4 LdrGetProcedureAddress-0xde ntdll+0x3010c exception.instruction: movzx eax, word ptr [eax] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 196876 exception.address: 0x76f5010c registers.esp: 2487052 registers.edi: 1989873592 registers.eax: 2234403287 registers.ebp: 2487176 registers.edx: 1989083136 registers.ebx: 1989879048 registers.esi: 1989868096 registers.ecx: 2234403289	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 23, 2025, 3:28 a.m.

stacktrace:

RtlEncodeSystemPointer+0x33d RtlFindClearBits-0x484 ntdll+0x3e41b @ 0x76f5e41b
RtlSetBits+0x115 RtlFlsAlloc-0x5e ntdll+0x3eabb @ 0x76f5eabb
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3eb08 @ 0x76f5eb08
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3ea03 @ 0x76f5ea03
LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d72f @ 0x76f5d72f
LdrLoadDll+0x7b _strcmpi-0x305 ntdll+0x3c558 @ 0x76f5c558
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x737dd4cf
LoadLibraryExW+0x1f1 LoadLibraryExA-0x37 kernelbase+0x12c95 @ 0x752c2c95
rundll32+0x14ed @ 0x6914ed
rundll32+0x1baf @ 0x691baf
rundll32+0x12e8 @ 0x6912e8
rundll32+0x1901 @ 0x691901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x769033aa
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x76f59f72
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x76f59f45

exception.instruction_r: 0f b7 00 89 45 cc 0f b7 c0 3b 46 18 73 42 8b 0c
exception.symbol: LdrGetDllHandleEx+0x3b4 LdrGetProcedureAddress-0xde ntdll+0x3010c
exception.instruction: movzx eax, word ptr [eax]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 196876
exception.address: 0x76f5010c
registers.esp: 2487052
registers.edi: 1989873592
registers.eax: 2234403287
registers.ebp: 2487176
registers.edx: 1989083136
registers.ebx: 1989879048
registers.esi: 1989868096
registers.ecx: 2234403289

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

SysEx File - OctavePlateau

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0002f05c

size

0x000003f0

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

File has been identified by 8 AntiVirus engine on IRMA as malicious (8 events)

G Data Antivirus (Windows)	Virus: Gen:Variant.Bulz.276414 (Engine A)
Avast Core Security (Linux)	Win32:FloxLib-A [Trj]
C4S ClamAV (Linux)	Win.Trojan.Pioneer-10014875-0
eScan Antivirus (Linux)	Gen:Variant.Bulz.276414(DB)
Sophos Anti-Virus (Linux)	Mal/Behav-160
ClamAV (Linux)	Win.Trojan.Pioneer-10014875-0
Bitdefender Antivirus (Linux)	Gen:Variant.Bulz.276414
Emsisoft Commandline Scanner (Windows)	Gen:Variant.Bulz.276414 (B)

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File 9d25d4f0ff4f8d431ec2f626713872ce63abfbba7b2652cf903bb8df90aa9820

Summary Download Resubmit sample

Score

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample