MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phobos


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA3-384 hash: e82e3dd519c118ebf911b6b7e6355027583a4b332546ff20536c4cb112c433f6e157bcd4c1abeef63c24eac7503b4bd9
SHA1 hash: dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
MD5 hash: a2f3d796dc2c2f474188db58d5ca7593
humanhash: timing-wisconsin-virginia-oven
File name:a2f3d796dc2c2f474188db58d5ca7593
Download: download sample
Signature Phobos
Create hunting rule
File size:168'960 bytes
First seen:2023-07-14 08:05:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c6b23c9c77136c0217965b910816add2 (4 x RedLineStealer, 2 x SystemBC, 1 x Amadey)
ssdeep 3072:RONnlLWEFpHEVITy9VG4Req0CFkIOomD7Pp65vOs2C:+lLWcpHuSM3IGFROokP2Om
Threatray 102 similar samples on MalwareBazaar
TLSH T147F3CF2179E0C072D96786350871E6B0A92F78635B75898B374817FE1EF12D25B7A3C3
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 08081a3070a0c000 (1 x Phobos)
Reporter zbetcheckin
Tags:32 exe Phobos

Intelligence

File Origin
# of uploads :
1
# of downloads :
346
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a662ba3492a7d218908f5d851841ed96
Verdict:
Malicious activity
Analysis date:
2023-07-14 08:06:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e47e7308-cd1b-4ac1-a69a-0e30a7a007c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Phobos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/418664/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97576/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64b101eb6e9f7019dea0a8ae/reports/5976c80f-5708-43ba-8c1b-cd6a2520418d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Phobos Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/938dff7f-829d-45d4-825f-63205619a1b3
Result
Threat name:
Phobos, Voidcrypt
Create hunting rule
Detection:
malicious
Classification:
rans.spre.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1273007
Signature
Creates files in the recycle bin to hide itself
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Found evasive API chain (may stop execution after checking locale)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Delete shadow copy via WMIC
Tries to harvest and steal browser information (history, passwords, etc)
Uses bcdedit to modify the Windows boot settings
Uses netsh to modify the Windows network and firewall settings
Yara detected Phobos
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1273007 Sample: z6VIlX5XbB.exe Startdate: 14/07/2023 Architecture: WINDOWS Score: 100 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 5 other signatures 2->70 7 z6VIlX5XbB.exe 2 501 2->7         started        11 z6VIlX5XbB.exe 2->11         started        13 wbengine.exe 3 2->13         started        15 2 other processes 2->15 process3 file4 44 C:\Users\user\AppData\...\z6VIlX5XbB.exe, PE32 7->44 dropped 46 C:\Users\user\AppData\Local\z6VIlX5XbB.exe, PE32 7->46 dropped 48 C:\ProgramData\Microsoft\...\z6VIlX5XbB.exe, PE32 7->48 dropped 50 4 other malicious files 7->50 dropped 72 Detected unpacking (changes PE section rights) 7->72 74 Detected unpacking (overwrites its own PE header) 7->74 76 Creates files in the recycle bin to hide itself 7->76 84 3 other signatures 7->84 17 cmd.exe 1 7->17         started        20 cmd.exe 7->20         started        22 cmd.exe 7->22         started        24 4 other processes 7->24 78 Multi AV Scanner detection for dropped file 11->78 80 Found evasive API chain (may stop execution after checking locale) 11->80 82 Creates files inside the volume driver (system volume information) 13->82 signatures5 process6 signatures7 52 May disable shadow drive data (uses vssadmin) 17->52 54 Deletes shadow drive data (may be related to ransomware) 17->54 56 Uses netsh to modify the Windows network and firewall settings 17->56 58 Modifies the windows firewall 17->58 26 bcdedit.exe 8 1 17->26         started        28 bcdedit.exe 7 1 17->28         started        30 conhost.exe 17->30         started        40 3 other processes 17->40 60 Uses bcdedit to modify the Windows boot settings 20->60 62 Deletes the backup plan of Windows 20->62 32 conhost.exe 20->32         started        42 5 other processes 20->42 34 netsh.exe 3 22->34         started        36 netsh.exe 3 22->36         started        38 conhost.exe 22->38         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-07-14 08:06:06 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=icgwfs7upcozkmzdb37utofulqi3ah6yzdlnmxwdhfzf25jbusga._file
Verdict:
malicious
Similar samples:
0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1
Phobos
34e1a82f7334c825aab19a21d94361c3225ee8ad9a2027830aeea7d82f59ca15
Phobos
64cc071973e05ae577f32bab349fafb4dba96ba9b8cab272aa5cd9d6074e5a39
Phobos
ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c
Phobos
b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642
Phobos
c8d9a9758516d5a8936bd3bc01a9997fb677ed1dc54081caa985883935ff092b
Phobos
caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87
Phobos
e165b3e962a2916ed4693993f1911c04b18fcbf7fbdaa824d0e57449da4e4099
Phobos
ed42bb9e3f5959e3d58872874381d92e50c601cd1be46effeb3724ff19eeef71
Phobos
+ 92 additional samples on MalwareBazaar
Result
Malware family:
phobos
Create hunting rule
Score:
  10/10
Tags:
family:phobos evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/230714-jzd47scg59/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Adds Run key to start application
Drops desktop.ini file(s)
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Deletes backup catalog
Modifies Windows Firewall
Deletes shadow copies
Modifies boot configuration data using bcdedit
Renames multiple (312) files with added filename extension
Renames multiple (479) files with added filename extension
Phobos
Unpacked files
SH256 hash:
b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53
MD5 hash:
966061cecee2b65fe7149dfa1d0f2c3a
SHA1 hash:
691ed7b6c4c0bdd824ede0514aacda9d7adc51f1
Link:
https://www.unpac.me/results/52bf1f24-e655-4141-95a1-c2cfd079562a/
SH256 hash:
408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
MD5 hash:
a2f3d796dc2c2f474188db58d5ca7593
SHA1 hash:
dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
Link:
https://www.unpac.me/results/52bf1f24-e655-4141-95a1-c2cfd079562a/
Malware family:
Dharma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/408d62cbf478/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phobos

Executable exe 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2682455/
Cape
Cape
https://www.capesandbox.com/analysis/418664/

Comments


Avatar
zbet commented on 2023-07-14 08:05:17 UTC

url : hxxp://fexstat257.xyz/mtx111.exe