MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91abe280381d0faf55b521f51d16d8aa022f0cc14b1310334d4fffc3474459d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phobos


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91abe280381d0faf55b521f51d16d8aa022f0cc14b1310334d4fffc3474459d4
SHA3-384 hash: a596ee34f75ff4182ca68750270c0e568fc0e8f4c9a2d1dec7974c050873a12fd8c4e7bc4d6e399a34a360107ae4b3dd
SHA1 hash: e464001902893ab6aea89b8ccfc66f9eb1d45988
MD5 hash: 2519f369f426e4d2cdd88290d1c25d3c
humanhash: texas-fourteen-nine-pizza
File name:2519f369f426e4d2cdd88290d1c25d3c.exe
Download: download sample
Signature Phobos
Create hunting rule
File size:1'815'552 bytes
First seen:2023-10-26 09:11:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:4E6seIAzWNS0LSaN9EBrx+dbsOCK/91/oc1EDnbLmVrkfvDUdhu3z7L/40NM+Sf2:tKpCSrEdbsOn/4sEDnB3z7E0CzzK
Threatray 59 similar samples on MalwareBazaar
TLSH T1F185E03027D89B21DB5F577AF174A90992F1E4099AF6BFA74AC4BEF128833506D81073
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe Phobos

Intelligence

File Origin
# of uploads :
1
# of downloads :
385
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2519f369f426e4d2cdd88290d1c25d3c.exe
Verdict:
Malicious activity
Analysis date:
2023-10-26 09:38:11 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/6bc60946-3e67-4630-b58c-383ad25843e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.2916.31874.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Launching a service
Launching cmd.exe command interpreter
Creating a process with a hidden window
Searching for synchronization primitives
Modifying an executable file
Changing a file
Modifies multiple files
Replacing executable files
Creating a file in the Program Files directory
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching the process to change the firewall settings
Moving a file to the %AppData% subdirectory
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Deleting volume shadow copies
Preventing system recovery
Enabling autorun by creating a file
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/653a2d626be5439aa5cd1417/reports/2a933ed9-3d49-4ba9-967e-34fa1c9d6b17/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/91abe280381d0faf55b521f51d16d8aa022f0cc14b1310334d4fffc3474459d4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Phobos Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3575a1a-eef1-4a89-bb70-39b33806c3c0
Result
Threat name:
Phobos, TrojanRansom, Voidcrypt
Create hunting rule
Detection:
malicious
Classification:
rans.phis.adwa.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1332560
Signature
.NET source code contains potential unpacker
Creates files in the recycle bin to hide itself
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Drops PE files to the startup folder
Found evasive API chain (may stop execution after checking locale)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
Sigma detected: Delete shadow copy via WMIC
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses bcdedit to modify the Windows boot settings
Uses netsh to modify the Windows network and firewall settings
Writes many files with high entropy
Yara detected Costura Assembly Loader
Yara detected Phobos
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1332560 Sample: s3CkvN3QOR.exe Startdate: 26/10/2023 Architecture: WINDOWS Score: 100 80 Malicious sample detected (through community Yara rule) 2->80 82 Multi AV Scanner detection for dropped file 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 6 other signatures 2->86 8 s3CkvN3QOR.exe 3 2->8         started        11 s3CkvN3QOR.exe 2->11         started        13 s3CkvN3QOR.exe 2->13         started        15 5 other processes 2->15 process3 signatures4 92 Drops PE files to the startup folder 8->92 94 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->94 96 Writes many files with high entropy 8->96 17 s3CkvN3QOR.exe 4 503 8->17         started        98 Multi AV Scanner detection for dropped file 11->98 100 Found evasive API chain (may stop execution after checking locale) 11->100 102 Injects a PE file into a foreign processes 11->102 21 s3CkvN3QOR.exe 11->21         started        23 s3CkvN3QOR.exe 13->23         started        25 s3CkvN3QOR.exe 13->25         started        104 Creates files inside the volume driver (system volume information) 15->104 27 s3CkvN3QOR.exe 15->27         started        29 s3CkvN3QOR.exe 15->29         started        31 s3CkvN3QOR.exe 15->31         started        process5 file6 58 C:\ProgramData\Microsoft\...\s3CkvN3QOR.exe, PE32 17->58 dropped 60 7-zip.dll.id[7283B...rexsdata.pro].8base, DOS 17->60 dropped 62 {AFBF9F1A-8EE8-4C7...rexsdata.pro].8base, data 17->62 dropped 64 59 other files (56 malicious) 17->64 dropped 88 Creates files in the recycle bin to hide itself 17->88 90 Overwrites Mozilla Firefox settings 17->90 33 cmd.exe 1 17->33         started        36 s3CkvN3QOR.exe 2 17->36         started        38 cmd.exe 17->38         started        signatures7 process8 signatures9 70 May disable shadow drive data (uses vssadmin) 33->70 72 Deletes shadow drive data (may be related to ransomware) 33->72 74 Uses netsh to modify the Windows network and firewall settings 33->74 78 3 other signatures 33->78 40 vssadmin.exe 1 33->40         started        43 conhost.exe 33->43         started        45 WMIC.exe 33->45         started        56 3 other processes 33->56 76 Injects a PE file into a foreign processes 36->76 47 s3CkvN3QOR.exe 1 6 36->47         started        50 netsh.exe 2 38->50         started        52 conhost.exe 38->52         started        54 netsh.exe 38->54         started        process10 file11 106 Deletes shadow drive data (may be related to ransomware) 40->106 66 C:\Users\user\AppData\...\s3CkvN3QOR.exe, PE32 47->66 dropped 68 C:\Users\user\AppData\Local\s3CkvN3QOR.exe, PE32 47->68 dropped signatures12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/91abe280381d0faf55b521f51d16d8aa022f0cc14b1310334d4fffc3474459d4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91abe280381d0faf55b521f51d16d8aa022f0cc14b1310334d4fffc3474459d4/
Threat name:
ByteCode-MSIL.Trojan.RaccoonStealerV2
Create hunting rule
Status:
Malicious
First seen:
2023-10-26 09:42:28 UTC
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sgv6fabyduh26vnveh2r2fwyvibc6dgbjmjram2nj774gr2elhka._file
Verdict:
malicious
Similar samples:
2ad246c95f79a3f21623a89e7de935f8ec7e42c6875a15b30e219a465f4e4907
Phobos
4e4c154f0500990e897ca9650eafd3c6255ba4df3b4bc620c6ba27b718278392
Phobos
50825b3dcf4e1bb958dfd1c2e49cc394f3a508f214ddce67bc111c40eed157e4
Phobos
6b5793f22a86e4b8793594df8c214feaad09cf964c913adc9f9a5e89a197442a
Phobos
6e006fa2cf49e2c52add436f266e2f62fb53ec936dd3caf536749d859240d6ae
Phobos
85a1f398d30b7efd27dee5b78472a000c6303ebd29b067df1012cfb9d61bcffa
Phobos
b916d475339eb0e64ad8e4e8bf897adb317c8add907ca4f72c1b7fda76cd8550
Phobos
e0a2d0622a0e1d24bdbc5d3ce388cf2a9b1551c78c8fde2d444c7e7f711854d8
Phobos
ff7cea1471a8650fec0cf17b7006d68320702939027341f922389672bfe88115
Phobos
+ 49 additional samples on MalwareBazaar
Result
Malware family:
phobos
Create hunting rule
Score:
  10/10
Tags:
family:phobos evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/231026-k56l3sfd8x/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Interacts with shadow copies
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops desktop.ini file(s)
Drops startup file
Reads user/profile data of web browsers
Deletes backup catalog
Modifies Windows Firewall
Deletes shadow copies
Modifies boot configuration data using bcdedit
Renames multiple (221) files with added filename extension
Renames multiple (313) files with added filename extension
Phobos
Unpacked files
SH256 hash:
91abe280381d0faf55b521f51d16d8aa022f0cc14b1310334d4fffc3474459d4
MD5 hash:
2519f369f426e4d2cdd88290d1c25d3c
SHA1 hash:
e464001902893ab6aea89b8ccfc66f9eb1d45988
Link:
https://www.unpac.me/results/b1f43ccc-a969-45f0-8b6b-ebe50f125476/
Malware family:
Dharma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/91abe280381d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phobos

Executable exe 91abe280381d0faf55b521f51d16d8aa022f0cc14b1310334d4fffc3474459d4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2725948/
  
Delivery method
Distributed via web download

Comments