Temppot_Protected.bin

General
Target

Temppot_Protected.bin

Size

288KB

Sample

201029-ta1j98mbls

Score
10 /10
MD5

c42599e95105b0f96915f009cf9b0956

SHA1

591049db2ec06a767ccc107a580470e85a094c58

SHA256

580006399ce81551ccf09b2ff057eb3a1a8b74cd2234419292f9cdc79945fb16

SHA512

d869ff010821bdc8046ed9632eccefb887c0be9c65b71bf66adebced69cfd815300388a5bc86030c660f40f2add2ec21c1d15b9d8ac05a26bd0cc8c836f7b6a1

Malware Config

Extracted

Credentials

Protocol: smtp

Host: smtp.mail.com

Port: 587

Username: syounus.ega-ae@mail.com

Password: favour1997

Targets
Target

Temppot_Protected.bin

MD5

c42599e95105b0f96915f009cf9b0956

Filesize

288KB

Score
10 /10
SHA1

591049db2ec06a767ccc107a580470e85a094c58

SHA256

580006399ce81551ccf09b2ff057eb3a1a8b74cd2234419292f9cdc79945fb16

SHA512

d869ff010821bdc8046ed9632eccefb887c0be9c65b71bf66adebced69cfd815300388a5bc86030c660f40f2add2ec21c1d15b9d8ac05a26bd0cc8c836f7b6a1

Tags

Signatures

  • Phoenix Keylogger

    Description

    Phoenix is a keylogger and info stealer first seen in July 2019.

    Tags

  • Phoenix Keylogger Payload

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        behavioral1

                        10/10

                        behavioral2

                        10/10