phoenixstealer | 2b697dedde68e57f4ce0031983226e1db30f0e41e52e5307f1bb1eddc87ae7e7

General

Target

b4c2b203ec5ada40ca14fbee20de0b67.exe
Size

221KB
MD5

b4c2b203ec5ada40ca14fbee20de0b67
SHA1

65563cc1c1d781991e378ec9e5d3578b0810d42d
SHA256

2b697dedde68e57f4ce0031983226e1db30f0e41e52e5307f1bb1eddc87ae7e7
SHA512

a905bbb8c6f33cdafefe5537b8705d29e69e4c3b559b396bf9a176478d3de453deaad5249fb7980ae113ff4d2c793be0f10f3d0c59056d0c5be55fce12573a03

Score

10^/10

PhoenixStealer
PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.
stealer phoenixstealer
Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 984 set thread context of 436	984	b4c2b203ec5ada40ca14fbee20de0b67.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	984	b4c2b203ec5ada40ca14fbee20de0b67.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 984 wrote to memory of 436	984	b4c2b203ec5ada40ca14fbee20de0b67.exe	27
PID 984 wrote to memory of 436	984	b4c2b203ec5ada40ca14fbee20de0b67.exe	27
PID 984 wrote to memory of 436	984	b4c2b203ec5ada40ca14fbee20de0b67.exe	27
PID 984 wrote to memory of 436	984	b4c2b203ec5ada40ca14fbee20de0b67.exe	27
PID 984 wrote to memory of 436	984	b4c2b203ec5ada40ca14fbee20de0b67.exe	27
PID 984 wrote to memory of 436	984	b4c2b203ec5ada40ca14fbee20de0b67.exe	27
PID 984 wrote to memory of 436	984	b4c2b203ec5ada40ca14fbee20de0b67.exe	27
PID 984 wrote to memory of 436	984	b4c2b203ec5ada40ca14fbee20de0b67.exe	27
PID 984 wrote to memory of 436	984	b4c2b203ec5ada40ca14fbee20de0b67.exe	27
PID 984 wrote to memory of 436	984	b4c2b203ec5ada40ca14fbee20de0b67.exe	27
PID 984 wrote to memory of 436	984	b4c2b203ec5ada40ca14fbee20de0b67.exe	27
PID 984 wrote to memory of 436	984	b4c2b203ec5ada40ca14fbee20de0b67.exe	27
PID 984 wrote to memory of 436	984	b4c2b203ec5ada40ca14fbee20de0b67.exe	27
PID 984 wrote to memory of 436	984	b4c2b203ec5ada40ca14fbee20de0b67.exe	27

C:\Users\Admin\AppData\Local\Temp\b4c2b203ec5ada40ca14fbee20de0b67.exe
"C:\Users\Admin\AppData\Local\Temp\b4c2b203ec5ada40ca14fbee20de0b67.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:436

memory/436-66-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/436-60-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/436-70-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/436-69-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/436-62-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/436-65-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/436-61-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/436-64-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/436-63-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/984-58-0x00000000043E5000-0x00000000043F6000-memory.dmp

Filesize
68KB

Download
memory/984-55-0x0000000000170000-0x00000000001AE000-memory.dmp

Filesize
248KB

Download
memory/984-54-0x0000000000170000-0x00000000001AE000-memory.dmp

Filesize
248KB

Download
memory/984-59-0x00000000005B0000-0x00000000005DC000-memory.dmp

Filesize
176KB

Download
memory/984-57-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/984-56-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download