MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdf7543e256f4d1c388489c66dd8d232e794a9fa23e95d8892bde08f3f1468fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phonk


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdf7543e256f4d1c388489c66dd8d232e794a9fa23e95d8892bde08f3f1468fb
SHA3-384 hash: 3fe3aa0f5077199eb8fa26f2795134543a0f79b2e105ea8da04e26822f1028a0f8e94f932de8a9efaf8353cb52020fdb
SHA1 hash: 4d37de854d30bfba244fe2c8f7c55b2ddc9e13e7
MD5 hash: 58bd2096417b214394dffae3c23a4a3e
humanhash: lithium-oranges-enemy-wisconsin
File name:58bd2096417b214394dffae3c23a4a3e.exe
Download: download sample
Signature Phonk
Create hunting rule
File size:1'774'592 bytes
First seen:2023-07-24 15:22:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:MJtsUhtUhNC4ipQjpyp0aXlTHlD/64BS/Z0SKi1W2pZS7SNU:M4UhtmNCHpQjpmndhS/Z0SnDpE7Q
Threatray 3'036 similar samples on MalwareBazaar
TLSH T14A8506147AC20DB6EC9E02F1D366491C4F63EC626701D0EB265366EDA63DF079D8B263
TrID 40.9% (.EXE) Win64 Executable (generic) (10523/12/4)
19.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.0% (.ICL) Windows Icons Library (generic) (2059/9)
7.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e0fcdce4e4d4f4e4 (1 x Phonk)
Reporter abuse_ch
Tags:exe Phonk

Intelligence

File Origin
# of uploads :
1
# of downloads :
270
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/431238/
Detection(s):
SecuriteInfo.com.Win64.CoinminerX-gen.17738.6852.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Sending a custom TCP request
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fdf7543e256f4d1c388489c66dd8d232e794a9fa23e95d8892bde08f3f1468fb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/752b4560-6959-437b-bc67-141a1272862c
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1278650
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1278650 Sample: GUgr9RSEY6.exe Startdate: 24/07/2023 Architecture: WINDOWS Score: 76 40 Antivirus detection for URL or domain 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Machine Learning detection for sample 2->44 9 GUgr9RSEY6.exe 5 2->9         started        12 PCELK.exe 1 2->12         started        process3 file4 34 C:\ProgramData\BinEngFrame\PCELK.exe, PE32+ 9->34 dropped 14 cmd.exe 1 9->14         started        process5 signatures6 50 Uses schtasks.exe or at.exe to add and modify task schedules 14->50 17 PCELK.exe 14 4 14->17         started        21 conhost.exe 14->21         started        23 timeout.exe 1 14->23         started        process7 dnsIp8 36 179.43.170.241, 49693, 80 PLI-ASCH Panama 17->36 46 Detected unpacking (changes PE section rights) 17->46 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->48 25 cmd.exe 1 17->25         started        27 WerFault.exe 21 9 17->27         started        signatures9 process10 dnsIp11 30 conhost.exe 25->30         started        32 schtasks.exe 1 25->32         started        38 192.168.2.1 unknown unknown 27->38 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fdf7543e256f4d1c388489c66dd8d232e794a9fa23e95d8892bde08f3f1468fb/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 12:47:14 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
123
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7x3viprfn5gryoeerhdg3wgsgltzjkp2epuv3cesxxqi6pyund5q._file
Verdict:
unknown
Similar samples:
1f7f13aa248c139832d4eda0405aed97ded646e21e6cf111f44e0f617befe16b
Phonk
6b0f1fbd73fcb8eef3c3c3aee2f52d5295d16a725178bb0e8b556ad291f00d31
Phonk
6c649c5633d1b3b8832e1b5c13b176482179f38cfb021a5f81e22757788c72b0
Phonk
8e9e34d70a388ee2721911e266e68ebfcdaf460803fa1baf66f9b6cbf560b2a9
Phonk
c7c7c74f5db7cc59903a4a0fe446dc77ddd5589308c8e4d0ffd63d89b285040f
Phonk
cf3f15f534ea069f36096b144e3fa527952ec4e37d73fadd505954e5941714f6
Phonk
db763ab03af7239d396324f78364168aafb10860a7439781a5b4e2ac4734589a
Phonk
fc29f52e495390630ccda0c1071af6a811eeae68ae7d7cee5de58bdc02f00b61
Phonk
fdca00e3c56b15eda992ba0a43f758514216f53f7e1cb83fd100c57fcb70fcf9
Phonk
fea8be0dcc077588c5d828e5385eb1135922cb4e58d9ec1daf1674c3d74d61d6
Phonk
+ 3'026 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/230724-ssf5nafc91/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
fdf7543e256f4d1c388489c66dd8d232e794a9fa23e95d8892bde08f3f1468fb
MD5 hash:
58bd2096417b214394dffae3c23a4a3e
SHA1 hash:
4d37de854d30bfba244fe2c8f7c55b2ddc9e13e7
Link:
https://www.unpac.me/results/c5fedbc8-eef9-4ee2-9f21-a96bfc02bca6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fdf7543e256f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fdf7543e256f4d1c388489c66dd8d232e794a9fa23e95d8892bde08f3f1468fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phonk

Executable exe fdf7543e256f4d1c388489c66dd8d232e794a9fa23e95d8892bde08f3f1468fb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2662087/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/431238/

Comments