MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dde984b21a00bc3307c28bd81f229500b795ce4e908b6f8cb5fbd338b22b8e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phobos


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9dde984b21a00bc3307c28bd81f229500b795ce4e908b6f8cb5fbd338b22b8e1
SHA3-384 hash: 3d3692e93b7aa961023f914691c703dca1310a30f163977f8d9d160c3554feb3aac57c0634b776719e5466163852bee7
SHA1 hash: 88c57401d854261548f9ee66ab182d5d7e0a2f28
MD5 hash: 78143c91631c47b8a3971f8996ab72c5
humanhash: tango-stairway-ink-vegan
File name:winrar.exe
Download: download sample
Signature Phobos
Create hunting rule
File size:1'084'416 bytes
First seen:2020-09-01 05:14:09 UTC
Last seen:2020-09-01 05:43:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 875e3ece85c43528fc2b10109acdc81f (1 x Phobos)
ssdeep 12288:LfIheLE92Wt2GSlLcntkEWZodeFRba4C/3Z:Yd92Wt2etkEWZkeHa1/J
Threatray 18 similar samples on MalwareBazaar
TLSH D135F1F070BDC80AC65816B499B7012F2A49DCC46C5DA04FE6E53F2C7EF37526DAA816
Reporter theDark3d
Tags:Phobos Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'851
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53803/
Detection(s):
SecuriteInfo.com.Mal.EncPk-APW.23671.13474.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a service
Creating a file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Changing a file
Modifying an executable file
Creating a file in the Program Files subdirectories
Creating a window
Launching the process to change network settings
Replacing executable files
Launching a process
Creating a file in the %AppData% subdirectories
Launching the process to change the firewall settings
Creating a file in the Program Files directory
Moving a file to the Program Files subdirectory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Deleting volume shadow copies
Enabling autorun for a service
Preventing system recovery
Enabling autorun by creating a file
Infecting executable files
Encrypting user's files
Result
Threat name:
Phobos
Create hunting rule
Detection:
malicious
Classification:
rans.spre.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/456158
Signature
Creates files in the recycle bin to hide itself
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Sigma detected: Delete shadow copy via WMIC
Sigma detected: WannaCry Ransomware
Uses bcdedit to modify the Windows boot settings
Uses netsh to modify the Windows network and firewall settings
Writes many files with high entropy
Yara detected Phobos
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 280460 Sample: winrar.exe Startdate: 01/09/2020 Architecture: WINDOWS Score: 100 49 Sigma detected: WannaCry Ransomware 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Detected unpacking (changes PE section rights) 2->53 55 10 other signatures 2->55 7 winrar.exe 2 501 2->7         started        12 winrar.exe 2->12         started        14 wbengine.exe 2->14         started        16 5 other processes 2->16 process3 dnsIp4 47 192.168.2.1 unknown unknown 7->47 39 C:\Users\user\AppData\Roaming\...\winrar.exe, PE32 7->39 dropped 41 C:\Users\user\AppData\Local\winrar.exe, PE32 7->41 dropped 43 C:\ProgramData\Microsoft\...\winrar.exe, PE32 7->43 dropped 45 381 other files (377 malicious) 7->45 dropped 65 Detected unpacking (changes PE section rights) 7->65 67 Detected unpacking (overwrites its own PE header) 7->67 69 Creates files in the recycle bin to hide itself 7->69 73 3 other signatures 7->73 18 cmd.exe 1 7->18         started        21 cmd.exe 1 7->21         started        23 winrar.exe 7->23         started        71 Creates files inside the volume driver (system volume information) 14->71 file5 signatures6 process7 signatures8 57 May disable shadow drive data (uses vssadmin) 18->57 59 Deletes shadow drive data (may be related to ransomware) 18->59 61 Uses bcdedit to modify the Windows boot settings 18->61 63 Deletes the backup plan of Windows 18->63 25 bcdedit.exe 1 18->25         started        27 bcdedit.exe 1 18->27         started        29 WMIC.exe 1 18->29         started        37 3 other processes 18->37 31 netsh.exe 3 21->31         started        33 netsh.exe 3 21->33         started        35 conhost.exe 21->35         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9dde984b21a00bc3307c28bd81f229500b795ce4e908b6f8cb5fbd338b22b8e1/
Threat name:
Win32.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2020-08-31 20:03:00 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=txpjqszbuaf4gmd4fc6yd4rjkafxsxhe5eeln6gll66thczcxdqq._file
Verdict:
malicious
Similar samples:
03bb4d5c0179fdceacc5df7645e6e7fa93e931ac9beb1968c7bbe40ba3499194
Phobos
0f6e1a84d618af64ce5864d7b7a0d946439b3f82efa34f994cb420dc3d11fb71
Phobos
4f2a4b35cda0c85b4a0ead82e8af588d7812d79206a104ff638619aa869aade4
Phobos
6ad7afd41c395e87314488f1aeb47244de899abb289feba16c9ffbde7f55f15e
Phobos
74976d37d3e53fc66a54b5b8010969340da5099c200e75e7c5b20f41e06a4a57
Phobos
7949bf3e09366bdb23ca7472cb6c4d9183ad5b081ac5a568d556aec8beae0785
Phobos
8b49bc1afd15dcc2bcc23b7637d58aca9a17b5b8a9e66ebdd109200fda384f0e
Phobos
a1a609c00c3504343f05c5fe6d6353ec177b06551efaf44c4d69e316718dc03e
Phobos
f893e2e5b6cb171f4cbe389fa1ce8565a12c01da43c997d8439af8f4a41af668
Phobos
f9348fb8d78baa055f90288fec94b67d3f3d30eaa5744feeacef871ee3ad8eb8
Phobos
+ 8 additional samples on MalwareBazaar
Result
Malware family:
phobos
Create hunting rule
Score:
  10/10
Tags:
ransomware evasion persistence spyware family:phobos
Link:
https://tria.ge/reports/200901-4a2qlp311x/
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Modifies service
Adds Run key to start application
Drops desktop.ini file(s)
Drops startup file
Reads user/profile data of web browsers
Deletes backup catalog
Modifies Windows Firewall
Deletes shadow copies
Deletes system backup catalog
Modifies boot configuration data using bcdedit
Phobos
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Virus
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9dde984b21a00bc3307c28bd81f229500b795ce4e908b6f8cb5fbd338b22b8e1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phobos

Executable exe 9dde984b21a00bc3307c28bd81f229500b795ce4e908b6f8cb5fbd338b22b8e1

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/53803/
  
URLhaus
https://urlhaus.abuse.ch/url/450924/
  
Delivery method
Distributed via web download

Comments