MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d10520e2b80ca42e98590435c36c5409a458d9a5bd0ad35b0f444d2ceb2626d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhoenixKeylogger


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d10520e2b80ca42e98590435c36c5409a458d9a5bd0ad35b0f444d2ceb2626d
SHA3-384 hash: 7c833d4e39c4685d15cb0bbf0e8e1d6e23418748e3e041206378e854e545013b2926751f7e5be469de7e96906edb244c
SHA1 hash: 8fbe0182c4ae39acb97a23f16b5d758b4183ad4b
MD5 hash: 311102ca55b09ee930cfceca5e4c06da
humanhash: carpet-friend-tennessee-october
File name:QUOTATION REQUEST.exe
Download: download sample
Signature PhoenixKeylogger
Create hunting rule
File size:662'016 bytes
First seen:2020-07-09 14:50:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e63d8c4f95b00f80e5b95c70d92a973 (10 x AgentTesla, 3 x FormBook, 2 x NanoCore)
ssdeep 12288:6GvZepMqJ07C6YHyrn9baFbUBXrVAlLSjujRJK/sJ2:6IgpM+F6YHyDYFYUNSVA2
Threatray 2'641 similar samples on MalwareBazaar
TLSH 8EE49E26F2D04833C1671A3DDD1B976899EABE413E289D462BF45F4CDF392423836297
Reporter abuse_ch
Tags:exe PhoenixKeylogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: tabrospharma.com
Sending IP: 45.153.241.102
From: Head of Procurement <regulatory@tabrospharma.com>
Subject: QUOTATION REQUEST (RFQ)
Attachment: QUOTATION REQUEST.arj (contains "QUOTATION REQUEST.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Phoenix
Create hunting rule
Link:
https://www.capesandbox.com/analysis/23937/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.Delf.FareIt.Gen.7.17255.16370.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Enabling the 'hidden' option for analyzed file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a custom TCP request
Creating a file in the Windows subdirectories
Moving of the original file
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d10520e2b80ca42e98590435c36c5409a458d9a5bd0ad35b0f444d2ceb2626d/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 14:52:06 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=juifedrlqdfef2mfsbbvynwficneldm2lpik2nnq6rcnftvsmjwq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
06c57d4b322f81ecbab54213b8850ecd29408f5ca5814641927cd5c5c3acb892
PhoenixKeylogger
22de80f7b695a2d2de01c7de28554a3588b1a115c370df9d4ed6da63fa2fbc21
PhoenixKeylogger
3c6902ab74526dac496d24e6be3db45c54d4ccc2530725c353dee1495c34b7e8
PhoenixKeylogger
463310350b11f648122f686b760d583275d10bb5e2fc7e810788cb2553436418
PhoenixKeylogger
639b1e539bcaeaf95b0c6e64ca52831a4287ecd5748ff13824a60a8b25b26fbf
PhoenixKeylogger
7dd02ed6230b0adde343aca84f8693a1c0d3ade225679849bf72849ad84107ca
PhoenixKeylogger
c2dc84d69a583c5a9f37109f1c2066af3eca496a1aabb2589c5918a1ca3cb1d7
PhoenixKeylogger
c9fbaba2cece9a148814fc244e4975de08a58d5fc1ccab3132a29748d8e863e2
PhoenixKeylogger
cbeefe51466bc72c1d6ac6d8a24c4da9a9c8f66d2e388a057bb6ce5c197c152d
PhoenixKeylogger
d5428c33e4529ecf6c9c4b338a65c7f9d990f956744da9a8089d6b9a0156f9f9
PhoenixKeylogger
+ 2'631 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/200709-qxnzrmgyc2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Looks up external IP address via web service
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
UPX packed file
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_404keylogger_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT, Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhoenixKeylogger

arj 5f87d3d2de86061021fe30c5afe9d8e7154549036ba68200064658031c325eff

PhoenixKeylogger

Executable exe 4d10520e2b80ca42e98590435c36c5409a458d9a5bd0ad35b0f444d2ceb2626d

(this sample)

  
Dropped by
MD5 171d213647672f7097e266f992e944fc
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23937/
  
Dropped by
SHA256 5f87d3d2de86061021fe30c5afe9d8e7154549036ba68200064658031c325eff

Comments