phoenix | 580006399ce81551ccf09b2ff057eb3a1a8b74cd2234419292f9cdc79945fb16 | Triage

Submit
Reports

Overview

overview

Static

static

sample_2.bin.exe

windows7_x64

sample_2.bin.exe

windows10_x64

Sharing

General

Target

sample_2.bin
Size

288KB
Sample

201029-ag9m3688b2
MD5

c42599e95105b0f96915f009cf9b0956
SHA1

591049db2ec06a767ccc107a580470e85a094c58
SHA256

580006399ce81551ccf09b2ff057eb3a1a8b74cd2234419292f9cdc79945fb16
SHA512

d869ff010821bdc8046ed9632eccefb887c0be9c65b71bf66adebced69cfd815300388a5bc86030c660f40f2add2ec21c1d15b9d8ac05a26bd0cc8c836f7b6a1

Score

10^/10

phoenix keylogger spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

sample_2.bin.exe

Resource

win7v20201028

phoenix keylogger spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

sample_2.bin.exe

Resource

win10v20201028

phoenix keylogger spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.com
Port:
587
Username:
[email protected]
Password:
favour1997

Targets

- Target
  
  sample_2.bin
- Size
  
  288KB
- MD5
  
  c42599e95105b0f96915f009cf9b0956
- SHA1
  
  591049db2ec06a767ccc107a580470e85a094c58
- SHA256
  
  580006399ce81551ccf09b2ff057eb3a1a8b74cd2234419292f9cdc79945fb16
- SHA512
  
  d869ff010821bdc8046ed9632eccefb887c0be9c65b71bf66adebced69cfd815300388a5bc86030c660f40f2add2ec21c1d15b9d8ac05a26bd0cc8c836f7b6a1
Score

10^/10

phoenix keylogger spyware stealer
- Phoenix Keylogger
  Phoenix is a keylogger and info stealer first seen in July 2019.
  stealer keylogger phoenix
- Phoenix Keylogger Payload
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

phoenixkeyloggerspywarestealer

behavioral2

phoenixkeyloggerspywarestealer

© 2018-2024

Terms | Privacy