MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 667f88e8dcd4a15529ed02bb20da6ae2e5b195717eb630b20b9732c8573c4e83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phobos


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments 3
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 667f88e8dcd4a15529ed02bb20da6ae2e5b195717eb630b20b9732c8573c4e83
SHA3-384 hash: e918f53cfb21200cd2a0e321ad28b8c65c187c52c93b8f5a4db26b06971385c60a7e66807973f1771042b917daa1e055
SHA1 hash: 8d4782e50282a81c38aed151882647c0ebb3269d
MD5 hash: 6dbdd1efcab25eaaec2217e9bcbf0718
humanhash: maryland-avocado-wyoming-saturn
File name:6dbdd1efcab25eaaec2217e9bcbf0718.doc
Download: download sample
Signature Phobos
Create hunting rule
File size:240'128 bytes
First seen:2020-09-11 19:35:36 UTC
Last seen:2021-04-29 13:11:39 UTC
File type:Word file doc
MIME type:application/msword
ssdeep 3072:bJmlupGGcStW1UO8BOWE6b/HeTcLIxyr/maSAgtYrBD8SmVFOIgfQ0IYt1/QdKSS:CStpBOWZLFLIxyqmgtYdDODO11oB
TLSH 40340172BA40DE16E6055934BDCEC6467E29FD13CE60C21B7A457B0FAC322B08662F57
Reporter theDark3d
Tags:doc Loader Phobos Ransomware

Intelligence

File Origin
# of uploads :
3
# of downloads :
1'887
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan-Downloader.Script.Generic.5560.UNOFFICIAL
Create hunting rule

PUA.Doc.Dropper.Heuristics-6774243-1
Create hunting rule

MiscreantPunch.EXEInsideOfDoc.B64.1.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.KERNEL32.200608B64.7.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.KERNEL32.200608B64.9.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Threat name:
Phobos
Create hunting rule
Detection:
malicious
Classification:
rans.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/464526
Signature
Creates and opens a fake document (probably a fake document to hide exploiting)
Creates files in the recycle bin to hide itself
Creates processes via WMI
Deletes shadow drive data (may be related to ransomware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Document contains an embedded VBA macro with suspicious strings
Drops PE files to the startup folder
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Uses netsh to modify the Windows network and firewall settings
Yara detected Phobos
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 284671 Sample: 3IxD5T3B50.doc Startdate: 11/09/2020 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for dropped file 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->41 43 13 other signatures 2->43 7 cs5.exe 2 19 2->7         started        11 certutil.exe 2 2->11         started        13 cs5.exe 2->13         started        15 WINWORD.EXE 386 41 2->15         started        process3 file4 27 C:\Users\user\AppData\Roaming\...\cs5.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\cs5.exe, PE32 7->29 dropped 31 C:\ProgramData\Microsoft\Windows\...\cs5.exe, PE32 7->31 dropped 35 2 other files (1 malicious) 7->35 dropped 45 Detected unpacking (changes PE section rights) 7->45 47 Detected unpacking (overwrites its own PE header) 7->47 49 Creates files in the recycle bin to hide itself 7->49 51 Drops PE files to the startup folder 7->51 17 cmd.exe 7->17         started        19 cmd.exe 7->19         started        21 cs5.exe 7->21         started        33 C:\Users\Public\Ksh1.pdf, PE32 11->33 dropped 53 Drops PE files to the user root directory 11->53 55 Multi AV Scanner detection for dropped file 13->55 signatures5 process6 process7 23 netsh.exe 17->23         started        25 vssadmin.exe 19->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/667f88e8dcd4a15529ed02bb20da6ae2e5b195717eb630b20b9732c8573c4e83/
Threat name:
Document-Word.Trojan.Powload
Create hunting rule
Status:
Malicious
First seen:
2020-09-11 18:09:56 UTC
AV detection:
32 of 48 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mz7yr2g42sqvkkpnak5sbwtk4ls3dflrp23dbmqls4zmqvz4j2bq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro
Link:
https://tria.ge/reports/200911-2a3b77fnj6/
Behaviour
Office macro that triggers on suspicious action
Suspicious Office macro
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Virus
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/667f88e8dcd4a15529ed02bb20da6ae2e5b195717eb630b20b9732c8573c4e83

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
hiddenaccount commented on 2020-09-11 19:50:17 UTC

Related File : https://bazaar.abuse.ch/sample/6e9c9b72d1bdb993184c7aa05d961e706a57b3becf151ca4f883a80a07fdd955/

Avatar
hiddenaccount commented on 2020-09-11 19:49:53 UTC

C2 :
hxxp://juliendechaumont[.]fr/DAYLL.exe
hxxps://hechiceriadeamoryprosperidadisrael[.]com/imagenes/amarres/DAYLL.exe

Avatar
hiddenaccount commented on 2020-09-11 19:49:40 UTC

Phobos Ransomware : https://analyze.intezer.com/analyses/90c03969-121d-4acf-914c-1140278d4e9a