Overview

overview

10

Static

static

10

Phoenix/Anarchy.dll

windows10-1703-x64

1

Phoenix/Anarchy.dll

windows11-21h2-x64

1

Phoenix/Di...PC.dll

windows10-1703-x64

1

Phoenix/Di...PC.dll

windows11-21h2-x64

1

Phoenix/Guna.UI2.dll

windows10-1703-x64

1

Phoenix/Guna.UI2.dll

windows11-21h2-x64

1

Phoenix/Ne...on.dll

windows10-1703-x64

1

Phoenix/Ne...on.dll

windows11-21h2-x64

1

Phoenix/Phoenix.exe

windows10-1703-x64

10

Phoenix/Phoenix.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-04-2024 12:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Phoenix/Phoenix.exe

  • Size

    5.6MB

  • MD5

    1e09922d9ebca4374a64998bc0949bde

  • SHA1

    474e620e852339cf01c44721d6f8663144d4ebd1

  • SHA256

    539635d689f2d880bf0e29b6fbc95fa7df68d7d818e0096fba7a8700846a4dc3

  • SHA512

    07f63b8bf6e2b4781d859e7a3dc6d85209709ad32c74d68789a435972200c78404d5fdfbc23cd4cb9783d2bacb707b88ef88aed38f0a7a9faf56b2b3ccd6b748

  • SSDEEP

    98304:iDVt2sjC7YM1eqh85elVOlVdsOdlVdsO3BbBWIgWljGxRB/LL8pVds+:7siYM0qh85eli4xRBj

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Phoenix\Phoenix.exe
    "C:\Users\Admin\AppData\Local\Temp\Phoenix\Phoenix.exe"
    1⤵
    • Checks computer location settings
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:4772
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4592
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:4024
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2864
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4268
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:2900
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3168
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:1016
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:3684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
    Filesize

    4KB

    MD5

    1bfe591a4fe3d91b03cdf26eaacd8f89

    SHA1

    719c37c320f518ac168c86723724891950911cea

    SHA256

    9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

    SHA512

    02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LICIZUQP\edgecompatviewlist[1].xml
    Filesize

    74KB

    MD5

    d4fc49dc14f63895d997fa4940f24378

    SHA1

    3efb1437a7c5e46034147cbbc8db017c69d02c31

    SHA256

    853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

    SHA512

    cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\LCQE230S\favicon[1].ico
    Filesize

    23KB

    MD5

    ec2c34cadd4b5f4594415127380a85e6

    SHA1

    e7e129270da0153510ef04a148d08702b980b679

    SHA256

    128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

    SHA512

    c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\UDMUIHBO\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit
  • memory/2900-190-0x00000243501F0000-0x00000243502F0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2900-185-0x0000024350F20000-0x0000024351020000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2900-133-0x000002434D840000-0x000002434D842000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2900-135-0x000002434D860000-0x000002434D862000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2900-137-0x000002434D880000-0x000002434D882000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2900-81-0x000002433C600000-0x000002433C700000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4268-59-0x0000021198200000-0x0000021198300000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4592-198-0x0000024D79190000-0x0000024D79191000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4592-199-0x0000024D791A0000-0x0000024D791A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4592-15-0x0000024D72220000-0x0000024D72230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4592-31-0x0000024D72320000-0x0000024D72330000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4592-50-0x0000024D714A0000-0x0000024D714A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4772-5-0x0000025D19270000-0x0000025D1928A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4772-4-0x0000025D33760000-0x0000025D33972000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/4772-9-0x0000025D33530000-0x0000025D33540000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-8-0x0000025D33530000-0x0000025D33540000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-7-0x0000025D33640000-0x0000025D336B6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4772-6-0x0000025D33450000-0x0000025D33502000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4772-12-0x0000025D33530000-0x0000025D33540000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-11-0x0000025D33530000-0x0000025D33540000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-0-0x0000025D18530000-0x0000025D18EBC000-memory.dmp
    Filesize

    9.5MB

    Download
  • memory/4772-10-0x0000025D33530000-0x0000025D33540000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-209-0x00007FFC76190000-0x00007FFC76B7C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/4772-210-0x0000025D33530000-0x0000025D33540000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-211-0x0000025D33530000-0x0000025D33540000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-212-0x0000025D33530000-0x0000025D33540000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-213-0x0000025D33530000-0x0000025D33540000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-214-0x0000025D33530000-0x0000025D33540000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-3-0x0000025D333A0000-0x0000025D3344E000-memory.dmp
    Filesize

    696KB

    Download
  • memory/4772-2-0x0000025D19240000-0x0000025D19241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4772-1-0x00007FFC76190000-0x00007FFC76B7C000-memory.dmp
    Filesize

    9.9MB

    Download