MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f1fbbd646d475c2d875426a7a5128e30d54b98ae31ef9b7e484211f787770c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phonk


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f1fbbd646d475c2d875426a7a5128e30d54b98ae31ef9b7e484211f787770c7
SHA3-384 hash: 240ca4d943e952d50896a440edc60b0cf1ced08f070ccda418ab79fea79d53b229b32b2f60f97cd4cf7171c2e35e326f
SHA1 hash: e80ae6a00b1eac69ea79dda90e1db4de315382c3
MD5 hash: 972d3ec6a976765bee7f681e6884c13a
humanhash: cola-ink-tango-undress
File name:972d3ec6a976765bee7f681e6884c13a
Download: download sample
Signature Phonk
Create hunting rule
File size:2'906'112 bytes
First seen:2023-12-01 06:17:01 UTC
Last seen:2023-12-01 08:37:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:MOSiu1jUYLWycEC/7iYMEw+NgCwM/8ry4561q/D6e60:xIyU2Z1qV6
Threatray 12 similar samples on MalwareBazaar
TLSH T1CBD5495C7A824C7BCE4901F3998E45281E92850B1B45A65B2FD38ECF932D6F7C9CD28D
TrID 65.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
11.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.EXE) Win32 Executable (generic) (4505/5/1)
2.3% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter zbetcheckin
Tags:64 exe Phonk

Intelligence

File Origin
# of uploads :
2
# of downloads :
296
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
New Text Document.bin.zip
Verdict:
Malicious activity
Analysis date:
2023-11-30 23:47:45 UTC
Tags:
opendir loader stealer grmsk trojan lokibot lumma evasion dupzom socks5systemz servstart amadey botnet formbook spyware agenttesla neoreklami risepro adware nanocore rat remote stealc raccoon recordbreaker systembc proxy metasploit gcleaner
Link:
https://app.any.run/tasks/4fa4e1c8-b542-4410-b17b-c752facf2bec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461575/
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7f1fbbd646d475c2d875426a7a5128e30d54b98ae31ef9b7e484211f787770c7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1dc91956-1280-48d3-bad1-a9236979a837
Result
Threat name:
Phonk Miner, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1351113
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7f1fbbd646d475c2d875426a7a5128e30d54b98ae31ef9b7e484211f787770c7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f1fbbd646d475c2d875426a7a5128e30d54b98ae31ef9b7e484211f787770c7/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-30 22:59:16 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
28
AV detection:
16 of 36 (44.44%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p4p3xvsg2r24fwdvijvhuuji4mgvjomk4mpptn7eqqqr66dxoddq._file
Verdict:
malicious
Similar samples:
263802f4c4f890ac1edba63b8faa12791314a36643b549643670c54040862d4e
Phonk
46304a29d2614764464359024e18491ab8423546564a2044eb875a3ead4c50a4
Phonk
497d41a3e461e09f9578c3b004bfbf70f1af0f1624e97825e07d349d18c49eea
Phonk
7fea5e9b346e73f69b3947ddde72fcf890d2601a3343b89c3a7a2fa8334453fa
Phonk
7ff3cb36d760631d7ced21610a51bb957ac0335e30dd7bd1d2c581fc26279574
Phonk
aacd8a384dd972599220a1ffaa3fbc16220ee0daf26f1dda44473866e8be05a4
Phonk
b4138451ca642ad8c085fbd450f82ca91776aea7b5bd5bccaf1ea4d87b55bc8d
Phonk
d7d74ca8f4761f34a7d2ad837bb72bb84882f96c43667d9826ccfa2d88f5b8c8
Phonk
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/231201-g2a48afe8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
MD5 hash:
92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 hash:
3e89ff837147c16b4e41c30d6c796374e0b8e62c
Link:
https://www.unpac.me/results/a619de80-27a0-458b-8ed5-4690f74bfa72/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/a619de80-27a0-458b-8ed5-4690f74bfa72/
SH256 hash:
7f1fbbd646d475c2d875426a7a5128e30d54b98ae31ef9b7e484211f787770c7
MD5 hash:
972d3ec6a976765bee7f681e6884c13a
SHA1 hash:
e80ae6a00b1eac69ea79dda90e1db4de315382c3
Link:
https://www.unpac.me/results/a619de80-27a0-458b-8ed5-4690f74bfa72/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7f1fbbd646d475c2d875426a7a5128e30d54b98ae31ef9b7e484211f787770c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phonk

Executable exe 7f1fbbd646d475c2d875426a7a5128e30d54b98ae31ef9b7e484211f787770c7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2735378/
  
URLhaus
https://urlhaus.abuse.ch/url/2736511/
Cape
Cape
https://www.capesandbox.com/analysis/461575/

Comments


Avatar
zbet commented on 2023-12-01 06:17:02 UTC

url : hxxp://185.172.128.113/ma.exe