Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dbsJ8HZXYa

Overview

General Information

Sample Name:dbsJ8HZXYa (renamed file extension from none to exe)
Analysis ID:728895
MD5:73f075adda1fe81dea4022f4e06fb64a
SHA1:ca241492da03a4d86fd43a5a076e22ac6949505c
SHA256:77cb17ef2f4f282f39838e7430bf040c3356e59ae8f13cbd4e670712e9f44a4e
Infos:

Detection

PhoenixRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Yara detected PhoenixRAT
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Found strings related to Crypto-Mining
Protects its processes via BreakOnTermination flag
Yara detected Costura Assembly Loader
Encrypted powershell cmdline option found
Machine Learning detection for sample
.NET source code contains potential unpacker
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Potential dropper URLs found in powershell memory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • dbsJ8HZXYa.exe (PID: 5760 cmdline: C:\Users\user\Desktop\dbsJ8HZXYa.exe MD5: 73F075ADDA1FE81DEA4022F4E06FB64A)
    • powershell.exe (PID: 4020 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAeAB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAcwBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdABkACMAPgA= MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Wzhtwkrl.exe (PID: 5156 cmdline: "C:\Users\user\AppData\Local\Temp\Wzhtwkrl.exe" MD5: 12C686D78A0C45F37FD17B743A0609F0)
    • PhoenixClientbaluci.exe (PID: 1212 cmdline: "C:\Users\user\AppData\Local\Temp\PhoenixClientbaluci.exe" MD5: D6DDA9CB85261B5FDC12EB22C5D3E6DA)
      • cmd.exe (PID: 3600 cmdline: "C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%APPDATA%' & powershell -Command Add-MpPreference -ExclusionPath '%TMP%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 3080 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming' MD5: 95000560239032BC68B4C2FDFCDEF913)
        • powershell.exe (PID: 6132 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp' MD5: 95000560239032BC68B4C2FDFCDEF913)
        • powershell.exe (PID: 2680 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows' MD5: 95000560239032BC68B4C2FDFCDEF913)
        • powershell.exe (PID: 648 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user' MD5: 95000560239032BC68B4C2FDFCDEF913)
      • cmd.exe (PID: 4968 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\user\AppData\Roaming\System\System.exe"' & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 1708 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\user\AppData\Roaming\System\System.exe"' MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • cmd.exe (PID: 1244 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpC0DF.tmp.bat"" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 2424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • timeout.exe (PID: 5116 cmdline: timeout 3 MD5: EB9A65078396FB5D4E3813BB9198CB18)