Phase (Win32/PhaseBot-A)

Small write-up about 'Phase' a malware who appeared and vanished very rapidly.
I had a look on it with MalwareTech who wrote several stories, it was shown that Phase is in reality a 'new' version of Solar bot, at least not so new, the code is so copy/pasted that even Antivirus such as Avast do false positives and now detect Napolar (Solar) as PhaseBot.

Advert:

Phase support website:

The coder is using public snippet for chatting with customers:
So weak that this is even vulnerable to xss.

Master balance ? less than < 1k
Phase seem not so popular, and got also rapidly lynched by other actors on forums.

Anyway let's have a look on the web panel.
Login:

Dashboard:

Commands:

Botlist:

Credentials:

Socks5:

Browsers:

Modules:

Analyzer detector:

RDP:

Settings:

FAQ:

Structure:

In the wild panel, having Ram scrapper plugin + VNC:

Ram scrapper plugin:

Point-of-sale remote controlled:

Another botnet with hacked point of sale remote controlled:

Wallet stealer:

Phase samples:
ae7a56b3adf6f7684ba14a77c017904d
12dccdec47928e5298055996415a94f2
d1446326bf1c69ea9df6e65bd472f358
1f3e808a3ccd981f3e61de227dae93b8
6ce0bb4cd86295f915160d7207a07a47
5767b9bf9cb6f2b5259f29dd8b873e36
a10f84153dba7b73980f0ff50d8cc8e6
f8ffcab3324561598ce5c375c07066be
e4574fbc1014d27e1b6906bfc5351e0e
d2ed20b1996e7e5bad2b91fd255732ef
f89b4e626c7a81544ca7395be3262cf6
ef69575e14fa965380242db26675d2df
fc586c3ec37e51668e905d0acfc913f6
eb9b56d829c3951b6e9cb5e4a651f7c8
6f53d3cd1acb7541bcc7399c4af001b1
19fa3927577571c51428f6eee2b5f52f
4ec84f1aa91e4cdc12118002244ca582
20e3a9ec396ad8b57a36ea3c6b9f151a
fe5dfa53204a65eca741ceab352c3b00
ace0a059dc2264c847d4e6c91f829dfd
f01c1ea73e968c2309391dcf3f0a2848

Unencrypted Ram scrapper plugin: 1e18ee52d6f0322d065b07ec7bfcbbe8
Unencrypted VNC plugin: 94eefdce643a084f95dd4c91289c3cf0
Panel: c43933e7c8b9d4c95703f798b515b384 (With a small trendMicro signature fail "PHP_SORAYA.A" no this is not the Soraya panel.
Needless to say the panel was also vulnerable.