MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 356799503f195db260e08a81d42a431b4ebd47cef94eddc96f24a0fd3e49d716. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Phobos

Vendor detections: 15

Intelligence 15 IOCs YARA 5 File information Comments 1

SHA256 hash:	356799503f195db260e08a81d42a431b4ebd47cef94eddc96f24a0fd3e49d716
SHA3-384 hash:	7fbbb13aa4cbcd9ec58ba0d67ac3d9935b9b13cdf48c342b6fa140b99eb9caf3e04279cb21b62d542d67a7cd5f5c1463
SHA1 hash:	f823f35c00580524fef34d9084721a4cea703016
MD5 hash:	e244628c750d40509ef2e3e72e4c2049
humanhash:	gee-crazy-tango-nuts
File name:	e244628c750d40509ef2e3e72e4c2049
Download:	download sample
Signature	Phobos Create hunting rule
File size:	645'120 bytes
First seen:	2023-09-07 08:01:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:Etj+xbGF2Wi8qpq3ll2iEpiXH7Nu6GKy:aj0E2WNq03l0rpiXHhp
Threatray	176 similar samples on MalwareBazaar
TLSH	T1A8D43907BA4EC9E2E2891736C69F450403B6D5C2639BEB0A798F23B5D8C37A7DD42507
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	zbetcheckin
Tags:	32 exe Phobos

Intelligence

File Origin

# of uploads :

# of downloads :

357

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e244628c750d40509ef2e3e72e4c2049

Verdict:

Malicious activity

Analysis date:

2023-09-07 08:01:32 UTC

Tags:

ransomware

Link:

https://app.any.run/tasks/17c57dda-ea77-4aad-aace-3768acab2c17

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Phobos

Link:

https://www.capesandbox.com/analysis/446911/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.24074.11684.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Launching a service

Searching for synchronization primitives

Launching cmd.exe command interpreter

Creating a process with a hidden window

Changing a file

Modifying an executable file

Modifies multiple files

Replacing executable files

Creating a file in the Program Files directory

Creating a file in the Program Files subdirectories

Launching the process to change the firewall settings

Moving a file to the Program Files subdirectory

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Launching a process

Creating a window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Creating a file in the mass storage device

Deleting volume shadow copies

Enabling autorun for a service

Preventing system recovery

Enabling autorun by creating a file

Infecting executable files

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/64f98344560864d1b67700a0/reports/4afd613e-beb4-40fd-97b6-fcb9eb3b7358/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/356799503f195db260e08a81d42a431b4ebd47cef94eddc96f24a0fd3e49d716

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

CinaRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/77a257f5-5b53-4c10-a359-5632d254aea4

Result

Threat name:

Phobos, Voidcrypt

Detection:

malicious

Classification:

rans.spre.adwa.spyw.evad.phis

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1305047

Signature

.NET source code contains potential unpacker

Creates files in the recycle bin to hide itself

Deletes shadow drive data (may be related to ransomware)

Deletes the backup plan of Windows

Drops PE files to the startup folder

Infects executable files (exe, dll, sys, html)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May disable shadow drive data (uses vssadmin)

Modifies the windows firewall

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Delete shadow copy via WMIC

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses bcdedit to modify the Windows boot settings

Uses netsh to modify the Windows network and firewall settings

Writes many files with high entropy

Yara detected Costura Assembly Loader

Yara detected Phobos

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/356799503f195db260e08a81d42a431b4ebd47cef94eddc96f24a0fd3e49d716/

Threat name:

Win32.Spyware.Zombie

Status:

Malicious

First seen:

2023-09-07 08:02:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gvtzsub7dfo3eyharka5iksddnhl2r6o7fhn3slpesqp2psj24la._file

Verdict:

malicious

Phobos

34e1a82f7334c825aab19a21d94361c3225ee8ad9a2027830aeea7d82f59ca15

Phobos

3c4ad3e800eb1b6e313b86f527ffed41f34e46221da557d611b55bae2ba46588

Phobos

64cc071973e05ae577f32bab349fafb4dba96ba9b8cab272aa5cd9d6074e5a39

Phobos

bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732

Phobos

c8d9a9758516d5a8936bd3bc01a9997fb677ed1dc54081caa985883935ff092b

Phobos

e165b3e962a2916ed4693993f1911c04b18fcbf7fbdaa824d0e57449da4e4099

Phobos

ed42bb9e3f5959e3d58872874381d92e50c601cd1be46effeb3724ff19eeef71

Phobos

+ 166 additional samples on MalwareBazaar

Result

Malware family:

phobos

Score:

10/10

Tags:

family:phobos evasion persistence ransomware spyware stealer

Link:

https://tria.ge/reports/230907-jwk4cafe99/

Behaviour

Checks SCSI registry key(s)

Interacts with shadow copies

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Enumerates physical storage devices

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Drops desktop.ini file(s)

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Deletes backup catalog

Modifies Windows Firewall

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (320) files with added filename extension

Renames multiple (472) files with added filename extension

Phobos

Unpacked files

SH256 hash:

fd7b1da37cd67ce728180384b12ca15b3e29e519df85391790081dd4543b3ef4

MD5 hash:

80cc043e06241b0ca09be86ca8a60b7c

SHA1 hash:

bada3e24056423e938372e73717216c952dbe805

Link:

https://www.unpac.me/results/781f8cc1-166c-4875-bd4b-18b4c1163501/

SH256 hash:

b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53

MD5 hash:

966061cecee2b65fe7149dfa1d0f2c3a

SHA1 hash:

691ed7b6c4c0bdd824ede0514aacda9d7adc51f1

Link:

https://www.unpac.me/results/781f8cc1-166c-4875-bd4b-18b4c1163501/

SH256 hash:

09bc9120aa203fae930fb35668d4ac12f1c38e69126d29d91166a0e525e93204

MD5 hash:

7c18a6729ff75c130e57fbd31b559626

SHA1 hash:

68197c63ce69a6ec67730aa9917ba26a075e5540

Link:

https://www.unpac.me/results/781f8cc1-166c-4875-bd4b-18b4c1163501/

SH256 hash:

19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372

MD5 hash:

4e29f75c0c51b9dec76955f0382d9541

SHA1 hash:

4899aa8e3f57339cbaec8faab777897a76fe1c3a

Link:

https://www.unpac.me/results/781f8cc1-166c-4875-bd4b-18b4c1163501/

SH256 hash:

356799503f195db260e08a81d42a431b4ebd47cef94eddc96f24a0fd3e49d716

MD5 hash:

e244628c750d40509ef2e3e72e4c2049

SHA1 hash:

f823f35c00580524fef34d9084721a4cea703016

Link:

https://www.unpac.me/results/781f8cc1-166c-4875-bd4b-18b4c1163501/

Malware family:

Dharma

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/356799503f19/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/356799503f195db260e08a81d42a431b4ebd47cef94eddc96f24a0fd3e49d716

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_Phobos Create hunting rule
Author:	ditekshen
Description:	Detects Phobos ransomware

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Ransomware_Phobos_11ea7be5 Create hunting rule
Author:	Elastic Security
Description:	Identifies Phobos ransomware
Reference:	https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos