phoenixstealer | 03752193cdcfed264b430381b7634c2a27cce45e3c3fc0b85470017afbdb54d8 | Triage

Submit
Reports

Overview

overview

Static

static

8.exe

windows7_x64

8.exe

windows10-2004_x64

Sharing

General

Target

8.exe
Size

1.4MB
Sample

220411-dfwx1sbbf5
MD5

d1a30dcdf2bc6b49b6472ca8bd35751b
SHA1

874e9436d4f9fb6e752b5937f032186501bf16aa
SHA256

03752193cdcfed264b430381b7634c2a27cce45e3c3fc0b85470017afbdb54d8
SHA512

b3eeef39477c6776ad78ee14c08fff7173ae8ad7ca1caea77ae5602dd122dddfa02837d5d062eb687aa211ddc931b3d9d1c8c3725d30e684f84057aed5ee28aa

Score

10^/10

phoenixstealer redline infostealer persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

8.exe

Resource

win7-20220311-en

phoenixstealer redline infostealer spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

8.exe

Resource

win10v2004-20220331-en

redline infostealer persistence spyware

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

redline

C2

104.244.76.137:4487

Attributes

auth_value
67c42657a2dc51f3323efd90a04a2b03

Targets

- Target
  
  8.exe
- Size
  
  1.4MB
- MD5
  
  d1a30dcdf2bc6b49b6472ca8bd35751b
- SHA1
  
  874e9436d4f9fb6e752b5937f032186501bf16aa
- SHA256
  
  03752193cdcfed264b430381b7634c2a27cce45e3c3fc0b85470017afbdb54d8
- SHA512
  
  b3eeef39477c6776ad78ee14c08fff7173ae8ad7ca1caea77ae5602dd122dddfa02837d5d062eb687aa211ddc931b3d9d1c8c3725d30e684f84057aed5ee28aa
Score

10^/10

phoenixstealer redline infostealer spyware stealer persistence
- PhoenixStealer
  PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.
  stealer phoenixstealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

phoenixstealerredlineinfostealerspywarestealer

behavioral2

redlineinfostealerpersistencespyware

© 2018-2024

Terms | Privacy