home

phBot.exe

phBot

Ryan Clouser

This is a setup program which is used to install the application. The file has been seen being downloaded from dc344.gulfup.com and multiple other hosts.
Publisher:
ProjectHax  (signed by Ryan Clouser)

Product:
phBot

Description:
phBot - Silkroad Online Bot

Version:
11.9.5.0

MD5:
c883ea7769e74cddcffa3e5a64472a80

SHA-1:
ff79e26b2373cc1969394229c526aa0b446b756e

SHA-256:
51bc502a58a6b353d8f28c2262c6c375f23fe3c26b49639feda83d773ee1607a

Scanner detections:
0 / 68

Status:
Clean (as of last analysis)

Analysis date:
5/6/2024 7:19:24 AM UTC  (today)

File size:
18.4 MB (19,331,568 bytes)

Product version:
11.9.5.0

Copyright:
Copyright (C) 2015 ProjectHax

Original file name:
phBot.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\phbot v11.9.5a\phbot.exe

Digital Signature
Signed by:
Ryan Clouser

Authority:
StartCom Ltd.

Valid from:
11/8/2013 2:13:03 PM

Valid to:
11/9/2015 12:34:04 AM

Subject:
E=ryan@projecthax.com, CN=Ryan Clouser, L=Camp Hill, S=Pennsylvania, C=US, Description=GDbAxi2Z0A7Em5K7

Issuer:
CN=StartCom Class 2 Primary Intermediate Object CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL

Serial number:
0BB8

File PE Metadata
Compilation timestamp:
6/28/2015 10:58:35 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
393216:bWM5PXkNcwhpyzrM7maNKEffpud0xa7oKfGWmF/xlN78:CMuSS9NKE5HDKGDF/LNI

Entry address:
0x2B77F16

Entry point:
0F, 83, 9C, E3, FF, FF, 57, 9C, 60, C7, 44, 24, 24, FD, 08, 66, 35, E9, 93, 04, 00, 00, 9B, 9F, 55, 09, 1A, 3C, 6C, 06, 50, 4D, 1C, 14, A0, DB, 0D, 76, 8D, F8, F1, 36, 0E, 99, 6D, 04, 73, 96, 46, 8F, 1D, 26, D2, 80, 96, 87, 01, B1, 3B, 0A, 89, B1, 18, 53, 97, 98, 32, B4, 42, 54, 49, 9C, 21, AC, 25, C1, 6B, CE, 50, 37, 5D, ED, E4, 6A, C0, A2, 50, BD, 35, 1A, 31, 54, 49, 9C, 28, 5C, CD, 48, 93, 79, B5, 5A, 5F, BA, 67, A9, C4, 46, BD, 92, 72, D0, 41, 6C, 0E, EC, 4D, B5, 14, 11, FB, 4E, A7, 6F, D0, 42, 29, 19...
 
[+]

Entropy:
7.9206  (probably packed)

Code size:
9.3 MB (9,750,016 bytes)

The file phBot.exe has been seen being distributed by the following 2 URLs.

http://dc344.gulfup.com/C1W3zd.exe

http://update.phbot.org/.../phBot.exe

Scan phBot.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.