MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PhoenixStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277
SHA3-384 hash:	f104f8493639c246725477721fd08e26c86ab6f40bf6d6454b388b70ed7be1e9cb5bbc49d74b642039ef8ff056c91ddb
SHA1 hash:	615275ae7a28ee86cd9f4f586a3c7c5366490444
MD5 hash:	77636b47fc9e1bc61a4a019371e09390
humanhash:	tennessee-quebec-cat-montana
File name:	q.exe
Download:	download sample
Signature	PhoenixStealer Create hunting rule
File size:	2'931'604 bytes
First seen:	2022-07-07 07:34:36 UTC
Last seen:	2022-07-07 08:48:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	726a22f55cf9e91b15fd25cd9f82556f (17 x RedLineStealer, 2 x ArkeiStealer, 1 x PhoenixStealer)
ssdeep	24576:9MukhwYrYEvD/bMa4QlHSVS7t5jIMrZrGt10LB9CT2fK8aybPbiUdobpLR+eUXet:eJTtp7G1mhfRaiziUdobplt+l3e
TLSH	T199D54B135ACB0E75DDC23BB4A1CB633AA734FD30CA3A9B7BB609C53549532D5681A702
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	ankit_anubhav
Tags:	exe Multiminer PhoenixStealer

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

haha.exe

Verdict:

Malicious activity

Analysis date:

2022-07-07 07:28:37 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3d031cb7-8bff-423d-aab1-c8e1b1077fe6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/285424/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Steam.28827.22829.4720.UNOFFICIAL

Win.Trojan.Redlinestealer-9955165-0

Win.Trojan.Generic-9955170-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Gathering data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a0358bf9-7866-49e0-b411-96e4415b8009

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1026194

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277/

Threat name:

Win32.Trojan.RedlineStealer

Status:

Malicious

First seen:

2022-07-07 07:35:10 UTC

File Type:

PE (Exe)

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p67nctinpvjkiwp4fg5onjro5xiknfsjasny7gwdpyjjplgdwj3q._file

Result

Malware family:

phoenixstealer

Score:

10/10

Tags:

family:phoenixstealer stealer

Link:

https://tria.ge/reports/220707-jeng5sfbdm/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

PhoenixStealer

Unpacked files

SH256 hash:

9bf39261054943ec7d751b2f0b025e8267eb3b39a9de2f8ecdebb697bd3532f1

MD5 hash:

7ac6cb3c6fc9186a9d3f506428ab0c64

SHA1 hash:

83aecbe88f8d077b4bead141892dbce622cd4f83

Link:

https://www.unpac.me/results/d06d6a35-a33d-4ba8-8d60-41e83ac123b9/

SH256 hash:

7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277

MD5 hash:

77636b47fc9e1bc61a4a019371e09390

SHA1 hash:

615275ae7a28ee86cd9f4f586a3c7c5366490444

Link:

https://www.unpac.me/results/d06d6a35-a33d-4ba8-8d60-41e83ac123b9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7fbed14d0d7d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.57

Link:

https://yomi.yoroi.company/submissions/7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	MALWARE_Win_Alfonoso Create hunting rule
Author:	ditekSHen
Description:	Detects Alfonoso / Shurk / HunterStealer infostealer

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/285424/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample