MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phonk


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221
SHA3-384 hash: 74e2f44f4858eecfd95c2507ba89d5c25538c5d2b66302bb6602592f6be7819c10a3fdacc3576b7da0cea05b17b2b9c2
SHA1 hash: 33a4738eae2b0bae7f374398753a67d8e9f6ff52
MD5 hash: 59bdfeadc9becdab96fe6110bd33ef9c
humanhash: apart-rugby-march-cold
File name:59bdfeadc9becdab96fe6110bd33ef9c.exe
Download: download sample
Signature Phonk
Create hunting rule
File size:2'820'096 bytes
First seen:2023-06-10 10:31:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:xoIuuRsY3/TwC7yA3bgH19Ay74Rcd6ijNqnW8feIX5GgvkUH7WEuQxXXTpr5qTYx:xDWHagHQk4agijNq6Eu8pn9yC
Threatray 2'938 similar samples on MalwareBazaar
TLSH T1C0D5FAD4E705C510DB810DB3B19AB865D5143EF2AB21F80ABE82FACA32B97C1654C7D7
TrID 40.9% (.EXE) Win64 Executable (generic) (10523/12/4)
19.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.0% (.ICL) Windows Icons Library (generic) (2059/9)
7.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b8e2e3e3e3a3c65d (1 x Phonk, 1 x Stealc, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe Phonk

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
59bdfeadc9becdab96fe6110bd33ef9c.exe
Verdict:
Malicious activity
Analysis date:
2023-06-10 10:35:49 UTC
Tags:
miner
Link:
https://app.any.run/tasks/d051ebed-ee3b-4582-a9dd-c3f277fd5905

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/397601/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.9016.9580.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hacktool lolbin overlay packed
Link:
https://www.filescan.io/uploads/648451293d73a4d7170a01a9/reports/67f44b99-563e-4d13-8dd9-0726196e3638/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d9ee079-0801-4565-b5ea-846f2031dbe2
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1252287
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 885306 Sample: PYuUP6c77T.exe Startdate: 10/06/2023 Architecture: WINDOWS Score: 76 26 Antivirus / Scanner detection for submitted sample 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 .NET source code contains method to dynamically call methods (often used by packers) 2->30 32 3 other signatures 2->32 7 PYuUP6c77T.exe 2 2->7         started        process3 file4 22 C:\ProgramData\Timeupper\HVPIO.exe, PE32+ 7->22 dropped 34 Adds a directory exclusion to Windows Defender 7->34 11 WerFault.exe 20 9 7->11         started        14 powershell.exe 19 7->14         started        16 powershell.exe 20 7->16         started        signatures5 process6 file7 24 C:\ProgramData\Microsoft\...\Report.wer, Unicode 11->24 dropped 18 conhost.exe 14->18         started        20 conhost.exe 16->20         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2023-06-10 10:32:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
90
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2isn7xrklmoz2eopefvk3tegz4ztmsvejwfxnwcsrukbqoia4iqq._file
Verdict:
unknown
Similar samples:
0d572238b9860b5db4f6d62eaad3ed9b1919efd9fcd92f165a0565ca9c1dd2ea
Phonk
6ca16541b066dc3a104efe166174bb08bf13fd1554e0af4d1b0e4f337e3ded40
Phonk
82f136be6e93f18f9c0a443b8bdbc16fb125c1685a3cc1d2c289575047033edd
Phonk
8ba31a5fa89b4db409e6f163004802e1d6c5fc0df2c6949d3d05fbbeafc25ac0
Phonk
925d72a0386f1228192b826ad465aca0343103f87188b94c7df3cf16dd5c3ae6
Phonk
939f6972ee6a83217d0ccb69dea58c381bd6b9977870bad27385ce7df68b16b8
Phonk
98980b5d5796c559c08ea5b20a4a459048087758b1149767af47788ea3388fdd
Phonk
a95e8541f0e2e8ac15d15b079ac0ac9826c52f8ed61e2c8a3c0ca72908230296
Phonk
cb74248d3d1b1c17a1585e9c4467b03cea1a2cb3d58136a5316baa10fa619ff1
Phonk
e9450c3121f962ad35052a0eb013d667116a77c29299a43047ccd19bd3abfe40
Phonk
+ 2'928 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/230610-mkzn5seg72/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221
MD5 hash:
59bdfeadc9becdab96fe6110bd33ef9c
SHA1 hash:
33a4738eae2b0bae7f374398753a67d8e9f6ff52
Link:
https://www.unpac.me/results/e304ee4a-b7df-47f9-8f46-99184cc17758/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d224dfde2a5b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phonk

Executable exe d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2655668/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/397601/

Comments