MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbacec1344afa67e7e3aef7ac9f286d46d73ae5af3c45763f2536c7eb143b9e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PhoenixStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	bbacec1344afa67e7e3aef7ac9f286d46d73ae5af3c45763f2536c7eb143b9e4
SHA3-384 hash:	1fba7ccf144618b11009b86ad5516acf54fbeae9dcc7ba976901e0225c131a87a286aa132d7aa7d84aba681506d5f3f1
SHA1 hash:	9f20fe8e89eeb59c28ebbf03e426c7e18dc67b7c
MD5 hash:	8643ad0c1db07b7bf569e8bd2c125f83
humanhash:	tennessee-red-utah-burger
File name:	47575567.exe
Download:	download sample
Signature	PhoenixStealer Create hunting rule
File size:	558'592 bytes
First seen:	2022-03-22 05:15:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	06c6e92acd3ff57b00b3132976b3f6d6 (32 x PhoenixStealer, 2 x PandaStealer, 1 x Worm.Ramnit)
ssdeep	12288:F7vT8cGUCZmxIwNjVGCXZqmmJUL+JHkdIUnjoqhwMw4d:Fz4BUCZmxIw1VGCXZ5mJdkdZnBhL
Threatray	55 similar samples on MalwareBazaar
TLSH	T16AC4BE17E6428076E4632430265D9B7249BD76300A2655BBF3C42E2D9EF02F2AB35F37
Reporter	adm1n_usa32
Tags:	exe PandaStealer PhoenixStealer

Intelligence

File Origin

# of uploads :

# of downloads :

191

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/253972/

Detection(s):

Win.Malware.Zusy-9812688-0

Win.Malware.Zusy-9828887-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending a custom TCP request

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/10347/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe greyware obfuscated shell32.dll stealer update.exe

Link:

https://www.filescan.io/uploads/62395b970cd58dbd92d40e93/reports/762c4875-3013-443a-9a04-cbfc7259c484/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Panda Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0edbd876-10a3-4854-825b-beeece9723cd

Result

Threat name:

Phoenix Stealer

Detection:

malicious

Classification:

troj.spyw

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/961413

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Yara detected Phoenix Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bbacec1344afa67e7e3aef7ac9f286d46d73ae5af3c45763f2536c7eb143b9e4/

Threat name:

Win32.Trojan.Matanbuchus

Status:

Malicious

First seen:

2022-02-27 23:50:38 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 26 (96.15%)

Threat level:

5/5

Verdict:

malicious

PhoenixStealer

15a772d0dcbde0cffde9b58be5007244fd23159daaa67110f53259ffff69b3c9

PhoenixStealer

6955cfaea5b8a5781a1a8bfa69d07350269c5ed723165a29034aa70aa71da38f

PhoenixStealer

7a76c39cebc89415a125d7773796ac539e0fc0f36a4663ec0ec75fec0d46bb7c

PhoenixStealer

7e62498496831d872b6d34b51ec02d3fcc07bd4db925899e9a7026c70908a526

PhoenixStealer

a2ab9acad51433ee88a2558ad59f5171b8bc3da7ffe80818423d478f94adf618

PhoenixStealer

a97397b1d9ac7e1b1aab153d2529680c0d6f0977c9e2f68c3febd1661629dbe1

PhoenixStealer

bf3208f8363c2f4c8f0c431ec05376c3b1fefff9175423bb242755173229308e

PhoenixStealer

c153071c43613a6ff4c454e3fda8c29ac41908fa8e6dab9d9f021e9263b456a2

PhoenixStealer

+ 45 additional samples on MalwareBazaar

Result

Malware family:

phoenixstealer

Score:

10/10

Tags:

family:phoenixstealer stealer

Link:

https://tria.ge/reports/220322-fx6vnaedg4/

Behaviour

PhoenixStealer

Unpacked files

SH256 hash:

bbacec1344afa67e7e3aef7ac9f286d46d73ae5af3c45763f2536c7eb143b9e4

MD5 hash:

8643ad0c1db07b7bf569e8bd2c125f83

SHA1 hash:

9f20fe8e89eeb59c28ebbf03e426c7e18dc67b7c

Link:

https://www.unpac.me/results/30aa7fa9-6a64-4a5f-9116-8de3783cde66/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bbacec1344afa67e7e3aef7ac9f286d46d73ae5af3c45763f2536c7eb143b9e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_Alfonoso Create hunting rule
Author:	ditekSHen
Description:	Detects Alfonoso / Shurk / HunterStealer infostealer

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	XOREngine_Misc_XOR_Func Create hunting rule
Author:	smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:	Use with care, https://twitter.com/cyb3rops/status/1237042104406355968