MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Phobos
Vendor detections: 14
| SHA256 hash: | 4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea |
|---|---|
| SHA3-384 hash: | 29e5d1e16462213bf2f2f002fe582dec858ccb1d14fb9654bc5e8c215e70056b546a7e667527788e57b4061e31f195e1 |
| SHA1 hash: | 99b5b69c4c3c6946162c1239ddbfa6e366cce3e3 |
| MD5 hash: | fcb76d19b9003bd5522c6da0703175d5 |
| humanhash: | diet-carbon-green-skylark |
| File name: | LisectAVT_2403002C_164.exe |
| Download: | download sample |
| Signature | Phobos |
| File size: | 73'728 bytes |
| First seen: | 2024-07-25 01:44:19 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 851a0ba8fbb71710075bdfe6dcef92eb (67 x Phobos, 2 x Worm.Ramnit) |
| ssdeep | 1536:lNeRBl5PT/rx1mzwRMSTdLpJSVJaaw38x6S3hT3GCq2iW7z:lQRrmzwR5J7UthDGCH |
| Threatray | 177 similar samples on MalwareBazaar |
| TLSH | T16073DF56685984B2CCA64570243A7F4F4FBF950080F484978F394ED73ED6923EB2A3B9 |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1) |
| Reporter | Anonymous |
| Tags: | exe Phobos |
Anonymous
this malware sample is very nasty!Intelligence
File Origin
# of uploads :
1
# of downloads :
312
Origin country :
CNVendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Сreating synchronization primitives
Launching a service
Restart of the analyzed sample
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Searching for synchronization primitives
Creating a file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Changing a file
Modifying an executable file
Modifies multiple files
Launching the process to change the firewall settings
Creating a file in the Program Files subdirectories
Replacing executable files
Creating a file in the Program Files directory
Moving a file to the Program Files subdirectory
Launching a process
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Using the Windows Management Instrumentation requests
Network activity
Query of malicious DNS domain
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Deleting volume shadow copies
Enabling autorun for a service
Preventing system recovery
Enabling autorun by creating a file
Infecting executable files
Encrypting user's files
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
fingerprint lolbin microsoft_visual_cc packed shell32
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Bdaejec, Phobos, Voidcrypt
Detection:
malicious
Classification:
rans.spre.troj.adwa.evad
Score:
100 / 100
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Detection:
phobos
Threat name:
Win32.Virus.Wapomi
Status:
Malicious
First seen:
2024-07-25 01:45:13 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
23 of 24 (95.83%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 167 additional samples on MalwareBazaar
Result
Malware family:
phobos
Score:
10/10
Tags:
family:phobos aspackv2 credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Adds Run key to start application
Drops desktop.ini file(s)
ASPack v2.12-2.42
Checks computer location settings
Credentials from Password Stores: Windows Credential Manager
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Deletes backup catalog
Modifies Windows Firewall
Credentials from Password Stores: Credentials from Web Browsers
Deletes shadow copies
Modifies boot configuration data using bcdedit
Renames multiple (307) files with added filename extension
Phobos
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
79da4536d9656ffc1fb3c48044f4e7e12e0a625683d9e722f41657e38267b9a0
MD5 hash:
a2f85c592c0fbae53aa670f4024388c9
SHA1 hash:
2d624f307c5613adf97ba02c9341dbae9a9f5bb3
SH256 hash:
eedb38d8d29a043ad0f1579f8bfe28737f837d1ba57a35aa51fd99422dcd7508
MD5 hash:
c8a94bed280013111a6b7797c83ecdb6
SHA1 hash:
3f2f50b49ec42c37fc04ab7267ecdeb7ed486e49
Detections:
win_unidentified_045_auto
win_unidentified_045_g0
SH256 hash:
4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea
MD5 hash:
fcb76d19b9003bd5522c6da0703175d5
SHA1 hash:
99b5b69c4c3c6946162c1239ddbfa6e366cce3e3
Detections:
win_phobos_auto
Malware family:
Dharma
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | EXE_Ransomware_Phobos_Feb2024 |
|---|---|
| Author: | Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell |
| Rule name: | maldoc_find_kernel32_base_method_1 |
|---|---|
| Author: | Didier Stevens (https://DidierStevens.com) |
| Rule name: | maldoc_getEIP_method_1 |
|---|---|
| Author: | Didier Stevens (https://DidierStevens.com) |
| Rule name: | MALWARE_Win_Phobos |
|---|---|
| Author: | ditekshen |
| Description: | Detects Phobos ransomware |
| Rule name: | meth_get_eip |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | shellcode |
|---|---|
| Author: | nex |
| Description: | Matched shellcode byte patterns |
| Rule name: | Windows_Ransomware_Phobos_11ea7be5 |
|---|---|
| Author: | Elastic Security |
| Description: | Identifies Phobos ransomware |
| Reference: | https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos |
| Rule name: | win_phobos_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.phobos. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::EqualSid ADVAPI32.dll::FreeSid |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetTokenInformation |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExW |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CreateProcessW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken WINHTTP.dll::WinHttpCloseHandle KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::GetVolumeInformationW |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::AllocConsole KERNEL32.dll::WriteConsoleW |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CopyFileW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::GetFileAttributesW KERNEL32.dll::FindFirstFileW |
| WIN_BASE_USER_API | Retrieves Account Information | KERNEL32.dll::GetComputerNameW ADVAPI32.dll::LookupAccountSidW ADVAPI32.dll::LookupPrivilegeValueW |
| WIN_HTTP_API | Uses HTTP services | WINHTTP.dll::WinHttpConnect WINHTTP.dll::WinHttpOpenRequest WINHTTP.dll::WinHttpOpen WINHTTP.dll::WinHttpReceiveResponse WINHTTP.dll::WinHttpSendRequest |
| WIN_NETWORK_API | Supports Windows Networking | MPR.dll::WNetEnumResourceW MPR.dll::WNetOpenEnumW MPR.dll::WNetUseConnectionW |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW |
| WIN_SOCK_API | Uses Network to send and receive data | WS2_32.dll::WSAAddressToStringW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.