MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7949bf3e09366bdb23ca7472cb6c4d9183ad5b081ac5a568d556aec8beae0785. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phobos


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7949bf3e09366bdb23ca7472cb6c4d9183ad5b081ac5a568d556aec8beae0785
SHA3-384 hash: 14aea42b9393ac3fa01ae021dba4c2a2e7242c265081f17ad15085154b75373faca7a7b033987272f5e811a1bd539e39
SHA1 hash: 938df1b239015ffb444c0f958b15ee6b5ce0b40d
MD5 hash: 636a3d5759907f7a3261beac3f75ca6a
humanhash: emma-mountain-kansas-lemon
File name:c597eb1cfd24dfca1b17b7fd61c4527c.exe
Download: download sample
Signature Phobos
Create hunting rule
File size:58'368 bytes
First seen:2020-04-05 15:07:06 UTC
Last seen:2020-04-08 15:00:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 03cae632c46883e0fd8e744440cd27c0 (5 x Phobos)
ssdeep 1536:2kcgYgbig9EhjWNMSTdwp++lJ/KAJnm5F1tEhSalMz:2j8ijWNw++lgAJnu3aM2u
Threatray 8 similar samples on MalwareBazaar
TLSH 6843C046346D94B2CD338570293D2F4B8FBA621554A84497CF294ECA3ED1116EB3E3BB
Reporter abuse_ch
Tags:exe GuLoader Phobos


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1c3fbF-r9OjtBh5GaGVeb9_C2afNvlAdY

Intelligence

File Origin
# of uploads :
3
# of downloads :
1'871
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Ransomware.Ulise-7594403-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Phobos
Create hunting rule
Status:
Malicious
First seen:
2020-03-20 08:37:41 UTC
File Type:
PE (Exe)
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pfe36pqjgzv5wi6korzmw3cnsgb22wyidlc2k2gvk2xmrpvoa6cq._file
Verdict:
malicious
Similar samples:
03bb4d5c0179fdceacc5df7645e6e7fa93e931ac9beb1968c7bbe40ba3499194
Phobos
4f2a4b35cda0c85b4a0ead82e8af588d7812d79206a104ff638619aa869aade4
Phobos
6c39c5f5d143700d4ad43b0aa7fb6a51e77817060467cf3462ef037176e1f50f
Phobos
868cb8251a245c416cd92fcbd3e30aa7b7ca7c271760fa120d2435fd3bf2fde9
Phobos
86c54f746b7af0ffaa40444e44b4dfd8e2d598bb31ad932cc2fb1ac1c83237ce
Phobos
9dde984b21a00bc3307c28bd81f229500b795ce4e908b6f8cb5fbd338b22b8e1
Phobos
ac0882d87027ac22fc79cfe2d55d9a9d097d0f8eb425cf182de1b872080930ec
Phobos
f9348fb8d78baa055f90288fec94b67d3f3d30eaa5744feeacef871ee3ad8eb8
Phobos
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

287eba5554654ce40f9db1e5fda08345ca3e3848341e9536b5bcd949c37d4133

Phobos

Executable exe 7949bf3e09366bdb23ca7472cb6c4d9183ad5b081ac5a568d556aec8beae0785

(this sample)

  
Dropped by
MD5 c597eb1cfd24dfca1b17b7fd61c4527c
  
Dropped by
MD5 3e585362a15cbca715a66f21bc29aa65
  
Dropped by
GuLoader
  
Dropped by
SHA256 287eba5554654ce40f9db1e5fda08345ca3e3848341e9536b5bcd949c37d4133
  
Dropped by
SHA256 d06db02b857f242fc1f0cf0d1847686b4ddd47ab2e2e9b844a3fcf2e7c587b5c
  
URLhaus
https://urlhaus.abuse.ch/url/335611/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
WINHTTP.dll::WinHttpCloseHandle
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::GetVolumeInformationW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::WriteConsoleW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::LookupAccountSidW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_HTTP_APIUses HTTP servicesWINHTTP.dll::WinHttpConnect
WINHTTP.dll::WinHttpOpenRequest
WINHTTP.dll::WinHttpOpen
WINHTTP.dll::WinHttpReceiveResponse
WINHTTP.dll::WinHttpSendRequest
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetEnumResourceW
MPR.dll::WNetOpenEnumW
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::WSAAddressToStringW

Comments