Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29-10-2020 16:46
Static task
static1
Behavioral task
behavioral1
Sample
79d50ae5556085107d0f9d3c1b7d36c0.exe
Resource
win7v20201028
General
-
Target
79d50ae5556085107d0f9d3c1b7d36c0.exe
-
Size
122KB
-
MD5
79d50ae5556085107d0f9d3c1b7d36c0
-
SHA1
972edd0f749c622b3f2f8fb1ee2c68ae4ad53ffc
-
SHA256
1c3b60712c5fae9fb4ebb0b3bd05514d4d02727d65826f3f56d9aeaa74d50690
-
SHA512
575406f98803c393f27d67ec88f500c4b990e58494c24e1f8c0374a47f44ec5ea4f31bb7693b0363f67e3e20ffeed679862c3970011b660a39d5a8535d4eef16
Malware Config
Signatures
-
Phoenix Keylogger Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1744-3-0x0000000000400000-0x0000000000433000-memory.dmp family_phoenix -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ifconfig.me -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
79d50ae5556085107d0f9d3c1b7d36c0.exepid process 1744 79d50ae5556085107d0f9d3c1b7d36c0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
79d50ae5556085107d0f9d3c1b7d36c0.exedescription pid process Token: SeDebugPrivilege 1744 79d50ae5556085107d0f9d3c1b7d36c0.exe