phoenix | 1c3b60712c5fae9fb4ebb0b3bd05514d4d02727d65826f3f56d9aeaa74d50690

Analysis

Target

79d50ae5556085107d0f9d3c1b7d36c0.exe
Size

122KB
MD5

79d50ae5556085107d0f9d3c1b7d36c0
SHA1

972edd0f749c622b3f2f8fb1ee2c68ae4ad53ffc
SHA256

1c3b60712c5fae9fb4ebb0b3bd05514d4d02727d65826f3f56d9aeaa74d50690
SHA512

575406f98803c393f27d67ec88f500c4b990e58494c24e1f8c0374a47f44ec5ea4f31bb7693b0363f67e3e20ffeed679862c3970011b660a39d5a8535d4eef16

Score

10^/10

Phoenix Keylogger
Phoenix is a keylogger and info stealer first seen in July 2019.
stealer keylogger phoenix

Phoenix Keylogger Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4756-3-0x0000000005050000-0x0000000005083000-memory.dmp	family_phoenix

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ifconfig.me
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

79d50ae5556085107d0f9d3c1b7d36c0.exe

pid process

4756 79d50ae5556085107d0f9d3c1b7d36c0.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

79d50ae5556085107d0f9d3c1b7d36c0.exe

description pid process

Token: SeDebugPrivilege 4756 79d50ae5556085107d0f9d3c1b7d36c0.exe

flow	ioc
7	ifconfig.me

pid	process
4756	79d50ae5556085107d0f9d3c1b7d36c0.exe

description	pid	process
Token: SeDebugPrivilege	4756	79d50ae5556085107d0f9d3c1b7d36c0.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/4756-0-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/4756-1-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4756-3-0x0000000005050000-0x0000000005083000-memory.dmp

Filesize
204KB

Download
memory/4756-4-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/4756-5-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/4756-6-0x0000000005F80000-0x0000000005F81000-memory.dmp

Filesize
4KB

Download
memory/4756-7-0x0000000006620000-0x0000000006621000-memory.dmp

Filesize
4KB

Download
memory/4756-8-0x0000000006570000-0x0000000006571000-memory.dmp

Filesize
4KB

Download
memory/4756-9-0x0000000006530000-0x0000000006531000-memory.dmp

Filesize
4KB

Download