phoenixstealer | 854f58be2f8c4e2b9305911f908d675d14341d460218828b8c190a41f633e28d

Analysis

max time kernel
29s
max time network
21s
platform
windows10_x64
resource
win10-20220223-en
submitted
19-03-2022 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fGv4Ub5CXnXURJ4g2dBLT9BUmoeKz64h.exe
Size

545KB
MD5

0f63a487555ec2b8bdada114f55cd2f3
SHA1

a3ef0914468013a9bcf6dd6cca79b7fa18494327
SHA256

854f58be2f8c4e2b9305911f908d675d14341d460218828b8c190a41f633e28d
SHA512

365cddac8aa211502a44416072ff1cf2b9a3c84ed9845eda8509b69d3ffdd74e11fa7018b030a358b62dfda3d06c4a8baf0b81d36ec5dee55a36cb5199d02e04

Score

10^/10

phoenixstealer spyware stealer

Malware Config

Signatures

PhoenixStealer
PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.
stealer phoenixstealer
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

3520 vlc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fGv4Ub5CXnXURJ4g2dBLT9BUmoeKz64h.exe

pid process

3572 fGv4Ub5CXnXURJ4g2dBLT9BUmoeKz64h.exe
3572 fGv4Ub5CXnXURJ4g2dBLT9BUmoeKz64h.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

3520 vlc.exe
Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

vlc.exe

pid process

3520 vlc.exe
3520 vlc.exe
3520 vlc.exe
3520 vlc.exe
3520 vlc.exe
3520 vlc.exe
3520 vlc.exe
3520 vlc.exe
3520 vlc.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

vlc.exe

pid process

3520 vlc.exe
3520 vlc.exe
3520 vlc.exe
3520 vlc.exe
3520 vlc.exe
3520 vlc.exe
3520 vlc.exe
3520 vlc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

3520 vlc.exe

pid	process
3520	vlc.exe

pid	process
3572	fGv4Ub5CXnXURJ4g2dBLT9BUmoeKz64h.exe
3572	fGv4Ub5CXnXURJ4g2dBLT9BUmoeKz64h.exe

pid	process
3520	vlc.exe

pid	process
3520	vlc.exe
3520	vlc.exe
3520	vlc.exe
3520	vlc.exe
3520	vlc.exe
3520	vlc.exe
3520	vlc.exe
3520	vlc.exe
3520	vlc.exe

pid	process
3520	vlc.exe
3520	vlc.exe
3520	vlc.exe
3520	vlc.exe
3520	vlc.exe
3520	vlc.exe
3520	vlc.exe
3520	vlc.exe

pid	process
3520	vlc.exe

C:\Users\Admin\AppData\Local\Temp\fGv4Ub5CXnXURJ4g2dBLT9BUmoeKz64h.exe
"C:\Users\Admin\AppData\Local\Temp\fGv4Ub5CXnXURJ4g2dBLT9BUmoeKz64h.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3572

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\AddMount.wmv"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\ConfirmGet.m4v

MD5
f5d34fc4b1556ad56928ce14be4e0116

SHA1
e7bdbf0019dea751c9e416822d8a124d7c83356f

SHA256
3c4969e24d9fca2fba54ef214abdfd5ea120af6dc3c03d31a10dac6a75026a88

SHA512
959dcb0b63931c227033d487ac1f4a50e3317854361182777a61fc2fac0f9331146aa2acb13c51a1e19ebe30ea32e412f37b91e809c577738ecffb82222fc0ff

Download Submit
C:\Users\Admin\Desktop\ConvertFromUpdate.3gp

MD5
417e2d50c73e244aa4d17e6455249510

SHA1
035d43634f32f14b2253d0f4b49ff5b669ab147e

SHA256
5434c7c1da2eee3a967b739ffc153a626b6099967d73e08245ccff640a2c12c1

SHA512
363545d5f215c932ddb1f71e12933fd92c54ad3479dd0564df2e023a9ad8955e5cf4ec997a1599301b643d09cb08ec804b3748fb0aba5c10234524bf10600a36

Download Submit
C:\Users\Admin\Desktop\DisableInstall.dib

MD5
7e1c10631f63e18ea01a9870e26876a2

SHA1
79690c642b95de1acf2856320c28ca85bcc28a4c

SHA256
152d7aed1e6188f63d91d7ff6575ddb293854dd8e2f6bb3f4192a9a416d47103

SHA512
e23ef446857b0167ae3eb344040dc66fc19dd52ac89054d71c78de3e2a8e1f373f8ca68eb9d26316747e6d93d7bb64c2109dd93e89caf44384a366b852d9c276

Download Submit
C:\Users\Admin\Desktop\DisableSet.xlsx

MD5
75dc23c52374f0ee3433a2bbd3a033ee

SHA1
198136b7a89110bf5b1efef2c5174d5a6d9cdcab

SHA256
2803f9d58a622c1de2b3a9eb0edcd43f6e2be42a549f1748a3704fff0cf8d4c7

SHA512
1d86100571b2b9a1b3d9ee7f1ab04e699dc585769f365736e21a87f46f43f3dc4803e026798db33a7ec7afe7b38b0893a611b1045a6e9a9e79b073c03db0446d

Download Submit
C:\Users\Admin\Desktop\EnableDisconnect.raw

MD5
0c634855aaa1307896d2fc6d2bb4840f

SHA1
63ec689a4b5029aa8e50815160a4537181c4cb1e

SHA256
a0a05113ab61e088cac004987290179887a931f7643f82edf21ef3cd47f3f7a2

SHA512
94f53c57eb29d63ffb36d45910f023f9d4def5cdc9221d38c02c8ec6a1aacc72ec0fe2866b19b19804778a04f8dbafa040285d8a16cc55c2b4bcf4f40bc84889

Download Submit
C:\Users\Admin\Desktop\EnterFormat.ps1xml

MD5
1eb38aeb855a785ad649321c90c5867d

SHA1
dcf2d78b8403d9ed7251d1fe8b839bddd002ec81

SHA256
bff1727dec8896e0de879ad2589e0a4c3a7a1cdba287c7cec26768c4a66462e5

SHA512
31831e6922e12f895e3172f01bec23e42f30093dcd8c7d094060c77748ec3f97a51c76493d7b9f79119c6e1fdcdfc853f7b89ae570b5074104e6815c13681d69

Download Submit
C:\Users\Admin\Desktop\FindConfirm.rar

MD5
30b8b828b58258b918034d6932a753fb

SHA1
c46e01ea19c4d54b99ed92fadd80a4f99cc6d983

SHA256
a3a83011c989b009c1dbaaf721bf7615aca7d9679dca0227be3ddf52181471de

SHA512
73f946b3a07fc9604e96304e09139cacce2c4dc9420455ec61f1afb15d4e37f0f0e1f06df481c0c58ddabeb8ee0e7c135be837fa8468c22db49dba64e7096a0c

Download Submit
C:\Users\Admin\Desktop\GetNew.sql

MD5
c8d5f405f961d74406523a1a453147e2

SHA1
8fe36b88a08a5d5eef4e2385b25193b891c2008e

SHA256
c27105b57b59e1078f075455bd5e1b84ba97c4903a3b579bc4478abaeea03c14

SHA512
b598bb4e973bea7a7e3bac554870af63a5f0717fde249397193adbe6fa27f0d1b35ba7d0fdb6aa02f3d14304e0bfe3d021025d892bb4c026c0d86460375695a0

Download Submit
C:\Users\Admin\Desktop\LockRestore.TTS

MD5
e119d692fe449652f8402f61f9eda6e7

SHA1
785d905f15cbea7add6ab1fc64855e630900b12d

SHA256
2b4cf19140030962324f3b43c04d0e9c7aa77396363f632516a970b6b5627410

SHA512
adfabc7b1f9ac6b84d660f5b9c150c3f5590e4e0e3733c929cf749d1bac563306bbe118b9f01af62ff01a0188eeeb91a24594f14b50088999c3e5d69b9b41bc4

Download Submit
C:\Users\Admin\Desktop\OptimizeInvoke.rmi

MD5
e1c4b0ee842f6f42986eae66d52db06d

SHA1
aecbcb96c6cf7a7dc54a92527bbf95e1033bd55f

SHA256
3c166c908c71254135dc796118813b58500a75cdf531ad51741139ac9755e575

SHA512
af2b64af2d7c696fecc6c572e72ff7bd43fe09c203b18a411c9dcc5ec67722fa5a62bc19516309a7c37a63c395c9f7b13f8e05cfe66bbc0e62ebe3df736f623b

Download Submit
C:\Users\Admin\Desktop\OptimizeWatch.css

MD5
66ecbe56e2afb782bdf051f0a4f01071

SHA1
a864b80a459709ff8702c3baebd5acbffd5ac7a6

SHA256
2603f961b1bd7207d84269e7195f3484c81e10529495ce97d12e4dac7a2865d2

SHA512
10855c37d71e91d9b20db8ba3c5ef3f1c6f98b69961d25ade38bb4613c167f2f970d2a36cf4d3b8bc4534cbbd26de4b5dd0d477f7a511420b45e57a80648924d

Download Submit
C:\Users\Admin\Desktop\PopExit.css

MD5
a0665459059bfe0287253e62726b5dc8

SHA1
433fafc4c64c5b0b7c76aebf2b17f2feee9c0101

SHA256
38377c9f13a6b6fecadb903b96e0eb3db35a892208e7823a3d39b1537e26963a

SHA512
d327a4207cb8fafdd5732d6655a3e4dd614246573dd0f58b773d9926206bf854cfb9a1a756be499542aa260e708047b1be19df10a2e693113be80c7618a1a7af

Download Submit
C:\Users\Admin\Desktop\PushEnter.m3u

MD5
a30aa5695f1372ab66993e5c96ea9ce6

SHA1
6c9ba0f6d06445d67d56b88c91dd8a6471f9287e

SHA256
6c711a85c99aac65799b9f452064d1f1a8cae49616da83858528b46f291011fc

SHA512
d5c371142d0a08340c0f35fd9492eb174cbc9a4e32edde8bad24321503b28e57b9fb349db4585d3266c06ae14c1673d2aa0ce9982107698768973fe10dd7f132

Download Submit
C:\Users\Admin\Desktop\RedoEdit.mpp

MD5
87503a99f2a4dfc5e21e333ea529b7bc

SHA1
24da03e6b26f107e0c80917fef6303136a7d70e1

SHA256
e166ee92127c6325b2b5cf006e163c9a9d50a9c5c2ad32fd7c0619153a12b9bd

SHA512
0be4a96c715d57a1911c8599ff6969a6b1e5dce5e40c64dfed85640c5700f55afb3cb13dc5fce7d1d6c1d290ed1ed5856ba42c8efb1f26db7a0e053c24ac9d25

Download Submit
C:\Users\Admin\Desktop\RenameComplete.pub

MD5
fe2dcde716fee782faea4bbddc7abee0

SHA1
de03e450b9e858a8657083bbcf428e586cfe3622

SHA256
a93cf6a3154761001d9a30826ef63107dbf2c4552e80ead82aea7bad2210b2ae

SHA512
6375ecc7768b8379e86f98b546e057bbae2d8a38dbbfff51d482ca9128d553b03ceaf36336be5041de29554c3236f17e9636c77672c5036d3c9e88ed74033eeb

Download Submit
C:\Users\Admin\Desktop\RevokeBlock.clr

MD5
14761888607b452d2507a9c76fc73b31

SHA1
3d14c676313d3dd74ef4024a35d4a64a2d3d049b

SHA256
d235ff8d7303294c80f4ccde109e24aecb3c645c5486ff6262816d61b570ce7c

SHA512
0705b219638ff9c74e4b180a8fb2524dfd51d3bf0603304250e77c9d9f2312f7cc311ade55b30468e665ff2169ab476c838ef19596639856f0e4cade3ac05e03

Download Submit
C:\Users\Admin\Desktop\UnblockStep.mp3

MD5
b26e6549644ca1034443b1eac3fccd02

SHA1
b9dbd33b2e8d676180874b3215840d6d5aa26f89

SHA256
35967b900302ddabf3ba36b37fb9d4116e081fa8c23f45027b51802e0c1d3618

SHA512
e67eaba82b7b957aac63daa19761319a109cfeedba9aff88b4f23017875855220ce1e26179189d929563f798ac11c7c83caaa0c18fc4c10318721d991ce8248b

Download Submit
C:\Users\Admin\Desktop\UndoRepair.xml

MD5
84a6429fe205343b871a98f025372b21

SHA1
c12edb150e9985d02e5b63e55bfeb741b8c3c224

SHA256
752420d16b74ef842efea8e297499763195557f1bca5048fdfd43089b10c48b6

SHA512
4f4d479251e506cb984b6d358325ceac7ec63758f5a8317e6dcab5ecbd46f140f0eec586b71138309939157502a256e9a73a65c6cf47a8350d4e088305696bc4

Download Submit
C:\Users\Admin\Desktop\UnprotectResolve.lnk

MD5
0d2a5d8871e22cf31373ce3504df57b6

SHA1
5c2f420c20a0e565dfd29f356d77fa2788dbddd0

SHA256
3fcbe6bfc5889a72eacfd185bee8c56f30b569905c8e1df5f86340eb3809e8fd

SHA512
51cf4b4008c96e4cb19c7beb3f9cf48f5b6095c9e5bbc9110f2d398b137134f02c5b8ed0de93271aea1a801990f412f8e0aa265c0406dc35e71c86b2102b2c26

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

MD5
9c04a713926d3283233ff8bcfadfb848

SHA1
06efffa0f9ea2b2ecdbe11b4570789517d696965

SHA256
ad65665db7a9793577cdebf3a535af245b383ca1a74a3c32b5905167e208c607

SHA512
03296e312818fefc7142fc6d294b6a51bacd1b465ef2351260b165de6f50d37caa77acabe58d8cb16a82b1a5452493a7c9ead564ee3cb732d16c1bd9b2ba1b30

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

MD5
6fb4bf028e4aa94628796f9bf1ed6e53

SHA1
c69de4d5bef52f5678930d033506460057644172

SHA256
036272a6b8370aeea1a403a636d3f785ca483a581446c166067090abe3824051

SHA512
05b64ac0e01e4fe8fcbeef6a261c89f1521bda53e53b4cadabb6a381402552c11c8839bd81f3e3e75a88b6d2c02180564b6611c7ea7c7a3f4dcd63c5824123fe

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

MD5
c728e48424fc7317c152589fbec3d477

SHA1
7954cf800157f6b7f6fa6a43c155d3d47326049d

SHA256
95a8147ca4012903933a92556c34f3c894a0775639e2108962a04d8bffbc7f18

SHA512
9833c0dc3ac6b793a662337b5816474faf0770c8752df10c468bd36da5ed57bbb28ec4b1ce4e8df2906e3607d1099a67c916287ed33ca606041597645d0f16a3

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

MD5
c173431193371a9ce5d33416bdfd9464

SHA1
a8ef10b229a9daa44724c9eff036088295b51b93

SHA256
561769907936d26cb0263f77ddabaae232fffb29e6fb0922e539f9a33de5bd60

SHA512
773486e6350e9cea7e454f24974e48371e7f1a35b0069384a1fe49401a346067a710bbef65f7b012a12f0d7f55f669121b0fc1cbc7b6db36daa76e8b074121db

Download Submit