phoenixstealer | f3afc877ab527a6fac21360eadc1da5c9401740323d2ddef5e3bc40bcef70525

Analysis

Target

2su0b91u.exe
Size

4.9MB
MD5

b0e15f0280f46a9756f9da56faa1a638
SHA1

17c6f70b85f3b6e098774f2c680d563ed79d4656
SHA256

f3afc877ab527a6fac21360eadc1da5c9401740323d2ddef5e3bc40bcef70525
SHA512

361e58606daf9e5ff030a28b0c19d16fa79e13ffe8dd4b34a937efb0234c86c1d5fec8aed3a9b8b082ff5f87503a724af9b24dedde39fdf9928b8ff72d2532a7

Score

10^/10

PhoenixStealer
PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.
stealer phoenixstealer
suricata: ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil
suricata: ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil
suricata
Suspicious use of SetThreadContext 1 IoCs

Processes:

2su0b91u.exe

description pid process target process

PID 2360 set thread context of 1456 2360 2su0b91u.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

1456 AppLaunch.exe
1456 AppLaunch.exe

description	pid	process	target process
PID 2360 set thread context of 1456	2360	2su0b91u.exe	AppLaunch.exe

pid	process
1456	AppLaunch.exe
1456	AppLaunch.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

2su0b91u.exe

description	pid	process	target process
PID 2360 wrote to memory of 1456	2360	2su0b91u.exe	AppLaunch.exe
PID 2360 wrote to memory of 1456	2360	2su0b91u.exe	AppLaunch.exe
PID 2360 wrote to memory of 1456	2360	2su0b91u.exe	AppLaunch.exe
PID 2360 wrote to memory of 1456	2360	2su0b91u.exe	AppLaunch.exe
PID 2360 wrote to memory of 1456	2360	2su0b91u.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\2su0b91u.exe
"C:\Users\Admin\AppData\Local\Temp\2su0b91u.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3868

memory/1456-135-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1456-134-0x0000000000000000-mapping.dmp

Download
memory/1456-142-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2360-131-0x0000000000610000-0x0000000000AF8000-memory.dmp

Filesize
4.9MB

Download