MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d2ada23e3ed12fff4c0e31377f1f577bcca7694b73545049a36f443d6c83215. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d2ada23e3ed12fff4c0e31377f1f577bcca7694b73545049a36f443d6c83215
SHA3-384 hash: 37919fc5e8a1c148474973dcb9e7786f3cb86cf8d5912d7f92e903c765ddddaa5ea5822b2c18ff26e88c2e3dee7dd80b
SHA1 hash: e7cc7bd70b128d63ef1e54345d6b97d8fd02ffb8
MD5 hash: f47ddf38902e6e745ae49168bc55c0fc
humanhash: eleven-saturn-grey-carpet
File name:f47ddf38902e6e745ae49168bc55c0fc
Download: download sample
File size:619'950 bytes
First seen:2022-02-02 00:44:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:AzxzTDWikLSb4NS7Yb7R0+5aUfFQ91YkXvGRB7MqiZ:2DWHSb4N1s9Wf3CZ
Threatray 1'410 similar samples on MalwareBazaar
TLSH T155D4ADC1A984D561D4613834B9E695F0592FEC6CFA34B6D7A38C7E1AFB330809E60763
File icon (PE):PE icon
dhash icon 70d8f0e0e2a2f870 (1 x PhoenixKeylogger)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f47ddf38902e6e745ae49168bc55c0fc
Verdict:
Malicious activity
Analysis date:
2022-02-02 00:51:21 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/7cc91236-c60f-49f8-8f97-4af04f28655f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/229650/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Launching a process
Sending a custom TCP request
Creating a process with a hidden window
Setting a global event handler
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5738/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/61f9d41ca0f6a794b331f2f8/reports/39008174-a9a6-4364-97c7-3d3676c931ba/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dab1c235-0315-456c-ad4d-430256b135e6
Result
Threat name:
PhoenixKeylogger
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/933101
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Contains functionality to capture screen (.Net source)
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Suspicious Remote Thread Created
Sigma detected: WScript or CScript Dropper
Uses shutdown.exe to shutdown or reboot the system
Yara detected PhoenixKeylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 565576 Sample: 2cB42TzofC Startdate: 03/02/2022 Architecture: WINDOWS Score: 66 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 8 other signatures 2->54 8 2cB42TzofC.exe 3 8 2->8         started        11 explorer.exe 21 10 2->11         started        13 explorer.exe 2->13         started        15 5 other processes 2->15 process3 file4 38 C:\Users\Public\Downloads\systems.exe, PE32 8->38 dropped 40 C:\Users\Public\Downloads\vbs.vbs, ISO-8859 8->40 dropped 17 systems.exe 15 5 8->17         started        21 wscript.exe 1 8->21         started        process5 dnsIp6 42 smtp.gmail.com 108.177.127.108, 49718, 49721, 49722 GOOGLEUS United States 17->42 44 108.177.127.109, 49723, 49724, 49728 GOOGLEUS United States 17->44 46 2 other IPs or domains 17->46 56 Antivirus detection for dropped file 17->56 58 Multi AV Scanner detection for dropped file 17->58 60 May check the online IP address of the machine 17->60 62 2 other signatures 17->62 23 explorer.exe 1 17->23         started        25 explorer.exe 17->25         started        27 explorer.exe 17->27         started        32 5 other processes 17->32 29 cmd.exe 1 21->29         started        signatures7 process8 signatures9 64 Uses shutdown.exe to shutdown or reboot the system 29->64 34 conhost.exe 29->34         started        36 shutdown.exe 1 29->36         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d2ada23e3ed12fff4c0e31377f1f577bcca7694b73545049a36f443d6c83215/
Threat name:
ByteCode-MSIL.Backdoor.Phoenix
Create hunting rule
Status:
Malicious
First seen:
2022-02-02 00:45:11 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1a3736d0a59836c3feecb448a77c4ab269dbd29df9de58ef81070129e248eb6c
3b28cef3fbfcc3a04ec60110dc57b789425a4bab6b7be57e20b7bbd08783e043
41f7f900d07f07c3f6d9d8aba51633b84766f7afe166505ac25a1bc5854f5f4a
4f21ab65d432de2cf873d496e6a54514e12c62f4cc12623cab84f001b7380cb2
6aae470221ba1879a26af8172df018f07eafa1f26857a8b33092b7da5582317c
7e4bc5c98691dd99d7c856dc26110113c15d72fb5b8a73db75a9c9b2bee021e2
b0b851f99f1cc076735446c7604066a790017d08654f864851622781847ea92e
fb4e1ee6f7fb1b22dd7b4f011ffadab81337cfe2d8171219b49df67e814ce5ef
fcc6991da240e198d58b22894f5eee6f1c0ba2a73774145747fe70be835bd8d8
+ 1'400 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220202-a326rsdfdm/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
3afa1c6ccae1eaec78f3211e40151061118228cccd405f7ce604b7c422579957
MD5 hash:
d2d4e008c12a9592119a27f9d59708a4
SHA1 hash:
6186e2ed7c9a1d1a3739dd52738de1d9abf8ad2e
Link:
https://www.unpac.me/results/6d384d69-2cbf-48a1-8506-259f62429e61/
SH256 hash:
0d2ada23e3ed12fff4c0e31377f1f577bcca7694b73545049a36f443d6c83215
MD5 hash:
f47ddf38902e6e745ae49168bc55c0fc
SHA1 hash:
e7cc7bd70b128d63ef1e54345d6b97d8fd02ffb8
Link:
https://www.unpac.me/results/6d384d69-2cbf-48a1-8506-259f62429e61/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d2ada23e3ed12fff4c0e31377f1f577bcca7694b73545049a36f443d6c83215

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0d2ada23e3ed12fff4c0e31377f1f577bcca7694b73545049a36f443d6c83215

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/229650/

Comments


Avatar
zbet commented on 2022-02-02 00:44:29 UTC

url : hxxp://microsoftofficial.y28.store/WindowsUpdate.exe