Extracted

• • Target

    2025-04-24_82647830e2a98644a2866139e43d6255_amadey_elex_floxif_redline-stealer_rhadamanthys_smoke-loader

  • Size

    186KB

  • MD5

    82647830e2a98644a2866139e43d6255

  • SHA1

    5f6b74bf618a0f6653b4069253436b951a7d15ad

  • SHA256

    fdc33962c8bed9c6bb049b5dbf8a7ed17c414c2725def0fb422c24e2e61790b7

  • SHA512

    5351757df6bb1f36d4d7fd1d06e35723b9554e1437f0ec295fa5456248fc73581517d058ea7f45a5be9aa8946ca1b3e9dbee59c20b12c84c646bbf11dbfb19c5

  • SSDEEP

    3072:msKf5SDlZNWXpYQVts2Z6fvk9HM2lQBV+UdE+rECWp7hK4:DBAXemtT6X8qBV+UdvrEFp7hK4

  Score

  10^/10

  floxifmylobotbackdoorbotnetdiscoverypersistenceprivilege_escalationtrojanupx

  • Floxif family

    floxif

  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    backdoortrojanfloxif

  • Mylobot

    Botnet which first appeared in 2017 written in C++.

    botnetmylobot

  • Mylobot family

    mylobot

  • Detects Floxif payload

    backdoor

  • Blocklisted process makes network request

  • Event Triggered Execution: AppInit DLLs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation

  • ACProtect 1.3x - 1.4x DLL software

    Detects file using ACProtect software.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2