phoenixstealer | 60c63fafcbcb2655d7806d9715f1755db205a975ddf68421967a39a2abcfb11a | Triage

Submit
Reports

Overview

overview

Static

static

1.exe

windows7_x64

1.exe

windows10-2004_x64

Sharing

General

Target

1.exeubtfmcle
Size

4.5MB
Sample

220411-destzagacr
MD5

f556df38b1abf7c5ef71b6bc040bfe93
SHA1

64a174173f3e4c46b8db36fa04f076dca5a3aac7
SHA256

60c63fafcbcb2655d7806d9715f1755db205a975ddf68421967a39a2abcfb11a
SHA512

0a74598fb4b4b256555c0e4b8e7b654cc0fcb6a18c16f9da912eeea4b24d79f66776e3484200277ff9705032ef60afca97639df4a273cedb2729d6dd085b598b

Score

10^/10

phoenixstealer redline infostealer persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

1.exe

Resource

win7-20220311-en

phoenixstealer redline infostealer spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

1.exe

Resource

win10v2004-20220331-en

redline infostealer persistence spyware

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

redline

C2

104.244.76.137:4487

Attributes

auth_value
67c42657a2dc51f3323efd90a04a2b03

Targets

- Target
  
  1.exeubtfmcle
- Size
  
  4.5MB
- MD5
  
  f556df38b1abf7c5ef71b6bc040bfe93
- SHA1
  
  64a174173f3e4c46b8db36fa04f076dca5a3aac7
- SHA256
  
  60c63fafcbcb2655d7806d9715f1755db205a975ddf68421967a39a2abcfb11a
- SHA512
  
  0a74598fb4b4b256555c0e4b8e7b654cc0fcb6a18c16f9da912eeea4b24d79f66776e3484200277ff9705032ef60afca97639df4a273cedb2729d6dd085b598b
Score

10^/10

phoenixstealer redline infostealer spyware stealer persistence
- PhoenixStealer
  PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.
  stealer phoenixstealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

phoenixstealerredlineinfostealerspywarestealer

behavioral2

redlineinfostealerpersistencespyware

© 2018-2024

Terms | Privacy