MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f2a4b35cda0c85b4a0ead82e8af588d7812d79206a104ff638619aa869aade4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	4f2a4b35cda0c85b4a0ead82e8af588d7812d79206a104ff638619aa869aade4
SHA3-384 hash:	6e15ff330cc29e250582495c47e17377cc03293b709a8882a5fff08aa13fe66b3603f4e32c198fab46f8c2af5db1f443
SHA1 hash:	4b9851ec58d83528a5542672331f5c725566ec7c
MD5 hash:	1c2a87f4cf2a34ea24b73221cc64802e
humanhash:	uncle-wolfram-kitten-alaska
File name:	SecuriteInfo.com.BehavesLike.Win32.Generic.fh.31166
Download:	download sample
File size:	349'184 bytes
First seen:	2020-05-17 10:35:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	6144:/uG8eelhCqmhCuG2YS6FNBet6LESwn+6OWhfh7Ole1tFWP8IEtiaDCiuoSFT:V8e0hCqyCQYPbBe8fwUWhfh7Ole1t0Ph
Threatray	8 similar samples on MalwareBazaar
TLSH	5074E7AC3650B5DFC817CE36C9682C60EA60647B570BE703A05716ECDA0EA9BDF151F2
Reporter	SecuriteInfoCom

Intelligence

File Origin

# of uploads :

1

# of downloads :

78

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.fh.31166.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Agensla

Status:

Malicious

First seen:

2020-05-17 07:40:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

11

AV detection:

27 of 31 (87.10%)

Threat level:

2/5

Verdict:

malicious

Similar samples:

03bb4d5c0179fdceacc5df7645e6e7fa93e931ac9beb1968c7bbe40ba3499194

6c39c5f5d143700d4ad43b0aa7fb6a51e77817060467cf3462ef037176e1f50f

7949bf3e09366bdb23ca7472cb6c4d9183ad5b081ac5a568d556aec8beae0785

868cb8251a245c416cd92fcbd3e30aa7b7ca7c271760fa120d2435fd3bf2fde9

86c54f746b7af0ffaa40444e44b4dfd8e2d598bb31ad932cc2fb1ac1c83237ce

9dde984b21a00bc3307c28bd81f229500b795ce4e908b6f8cb5fbd338b22b8e1

ac0882d87027ac22fc79cfe2d55d9a9d097d0f8eb425cf182de1b872080930ec

f9348fb8d78baa055f90288fec94b67d3f3d30eaa5744feeacef871ee3ad8eb8

Result

Malware family:

phobos

Score:

10/10

Tags:

family:phobos evasion persistence ransomware spyware

Link:

https://tria.ge/reports/201109-qab25lrtme/

Behaviour

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Drops file in Program Files directory

Modifies service

Suspicious use of SetThreadContext

Adds Run key to start application

Drops desktop.ini file(s)

Drops startup file

Reads user/profile data of web browsers

Deletes backup catalog

Deletes shadow copies

Deletes system backup catalog

Modifies boot configuration data using bcdedit

Phobos

Suspicious use of NtCreateUserProcessOtherParentProcess

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 4f2a4b35cda0c85b4a0ead82e8af588d7812d79206a104ff638619aa869aade4

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/363848/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/363849/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample