MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9348fb8d78baa055f90288fec94b67d3f3d30eaa5744feeacef871ee3ad8eb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phobos


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9348fb8d78baa055f90288fec94b67d3f3d30eaa5744feeacef871ee3ad8eb8
SHA3-384 hash: c5855f4ee3a03f076fb0923a151cb216d36105a1b5361d231b92f516312bde444151fcdcdbbc305bfae71c913d0dbef7
SHA1 hash: 0f2b29fc307eb870de21fa4de878595f943d02c8
MD5 hash: 61bb48e9aef012dbfc147d476a666087
humanhash: arkansas-tennessee-oscar-ohio
File name:antirecuvaanddb.exe
Download: download sample
Signature Phobos
Create hunting rule
File size:56'832 bytes
First seen:2020-03-18 10:16:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 03cae632c46883e0fd8e744440cd27c0 (5 x Phobos)
ssdeep 1536:5kcgYgbig9EhjWNMSTdwp++l0/8VK8dp8SwK:5j8ijWNw++lzVK8f8Sw
Threatray 7 similar samples on MalwareBazaar
TLSH 3343B04670598473CFB28970293A2F1BAFBE7119846484478F280D873FE5576DB2A3B7
Reporter fbgwls245
Tags:Phobos Ransomware CrySis/Dharma .eight

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'959
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Ransomware.Ulise-7594403-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Phobos
Create hunting rule
Status:
Malicious
First seen:
2020-03-18 10:47:00 UTC
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03bb4d5c0179fdceacc5df7645e6e7fa93e931ac9beb1968c7bbe40ba3499194
Phobos
4f2a4b35cda0c85b4a0ead82e8af588d7812d79206a104ff638619aa869aade4
Phobos
6c39c5f5d143700d4ad43b0aa7fb6a51e77817060467cf3462ef037176e1f50f
Phobos
7949bf3e09366bdb23ca7472cb6c4d9183ad5b081ac5a568d556aec8beae0785
Phobos
868cb8251a245c416cd92fcbd3e30aa7b7ca7c271760fa120d2435fd3bf2fde9
Phobos
86c54f746b7af0ffaa40444e44b4dfd8e2d598bb31ad932cc2fb1ac1c83237ce
Phobos
ac0882d87027ac22fc79cfe2d55d9a9d097d0f8eb425cf182de1b872080930ec
Phobos
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9348fb8d78baa055f90288fec94b67d3f3d30eaa5744feeacef871ee3ad8eb8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
WINHTTP.dll::WinHttpCloseHandle
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::GetVolumeInformationW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::WriteConsoleW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::LookupAccountSidW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_HTTP_APIUses HTTP servicesWINHTTP.dll::WinHttpConnect
WINHTTP.dll::WinHttpOpenRequest
WINHTTP.dll::WinHttpOpen
WINHTTP.dll::WinHttpReceiveResponse
WINHTTP.dll::WinHttpSendRequest
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetEnumResourceW
MPR.dll::WNetOpenEnumW
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::WSAAddressToStringW

Comments