MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c524c438438a2998e6f47513a8b639dc7f9c1ea649085bea77b2509f5e62dd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PhoenixStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	1c524c438438a2998e6f47513a8b639dc7f9c1ea649085bea77b2509f5e62dd5
SHA3-384 hash:	150cd65bf85816cdf953c7ba75114cd7e65aca045228273e9d07af7efd3aad89fffc555e360c173bbab46d80aec416f6
SHA1 hash:	12d517d298cff39d493d1de9e6da6e24c0b4f5ac
MD5 hash:	d6400095bffdf07603da238051f31bd4
humanhash:	single-red-ten-bulldog
File name:	28166889.exe
Download:	download sample
Signature	PhoenixStealer Create hunting rule
File size:	5'494'784 bytes
First seen:	2022-03-19 05:16:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep	98304:F+I53ziFnREI8AWlOe9GHa53EsOsLObV3BjrNKqe4SZiJ6Cofxo:F+g3z0LY3EsOskAqAi
Threatray	11'571 similar samples on MalwareBazaar
TLSH	T104464AF1390AA2DFD1AB44B4E856CE03E42D53F646249801DC6DB8BEEE93D8515CAF1C
File icon (PE):
dhash icon	b2f0cccc969669d4 (1 x PhoenixStealer)
Reporter	adm1n_usa32
Tags:	exe PandaStealer PhoenixStealer

Intelligence

File Origin

# of uploads :

# of downloads :

311

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/252930/

Detection(s):

SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Creating a file

Creating a process from a recently created file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe greyware packed shell32.dll stealer update.exe

Link:

https://www.filescan.io/uploads/62356751dfdfa8501cb98f03/reports/bf0e652f-3a20-4241-94d1-1953e3b77c34/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Panda Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8bd7d2b4-31d1-4046-847c-3244f2da90e1

Result

Threat name:

Panda Stealer Phoenix Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/960002

Signature

.NET source code contains potential unpacker

Antivirus detection for dropped file

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Yara detected Panda Stealer

Yara detected Phoenix Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1c524c438438a2998e6f47513a8b639dc7f9c1ea649085bea77b2509f5e62dd5/

Threat name:

Win32.Trojan.Matanbuchus

Status:

Malicious

First seen:

2022-03-19 05:17:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Verdict:

malicious

PhoenixStealer

15a772d0dcbde0cffde9b58be5007244fd23159daaa67110f53259ffff69b3c9

PhoenixStealer

2b697dedde68e57f4ce0031983226e1db30f0e41e52e5307f1bb1eddc87ae7e7

PhoenixStealer

3cc17e8a578397b8dad4299539f31925ea3777455d112dafbaf7df283c7cb11e

PhoenixStealer

77b9b69c6a0c2d1ca22a03ce3833852a11e06ca4a0e47e7dfd8b4c3f1846c350

PhoenixStealer

7a76c39cebc89415a125d7773796ac539e0fc0f36a4663ec0ec75fec0d46bb7c

PhoenixStealer

a2ab9acad51433ee88a2558ad59f5171b8bc3da7ffe80818423d478f94adf618

PhoenixStealer

a97397b1d9ac7e1b1aab153d2529680c0d6f0977c9e2f68c3febd1661629dbe1

PhoenixStealer

bf3208f8363c2f4c8f0c431ec05376c3b1fefff9175423bb242755173229308e

PhoenixStealer

c153071c43613a6ff4c454e3fda8c29ac41908fa8e6dab9d9f021e9263b456a2

PhoenixStealer

+ 11'561 additional samples on MalwareBazaar

Result

Malware family:

phoenixstealer

Score:

10/10

Tags:

family:phoenixstealer evasion stealer themida trojan

Link:

https://tria.ge/reports/220319-fyp9ascdhn/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Checks whether UAC is enabled

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Themida packer

Downloads MZ/PE file

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

PhoenixStealer

Unpacked files

SH256 hash:

1c524c438438a2998e6f47513a8b639dc7f9c1ea649085bea77b2509f5e62dd5

MD5 hash:

d6400095bffdf07603da238051f31bd4

SHA1 hash:

12d517d298cff39d493d1de9e6da6e24c0b4f5ac

Link:

https://www.unpac.me/results/3ffa00f6-1f05-4180-b29b-93135a40975f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.95

Link:

https://yomi.yoroi.company/submissions/1c524c438438a2998e6f47513a8b639dc7f9c1ea649085bea77b2509f5e62dd5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_Discord_Attachments_URL Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads

Rule name:	SUSP_PE_Discord_Attachment_Oct21_1 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/252930/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample