phoenixstealer | 7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277

Analysis

Target

q.exe
Size

2.8MB
MD5

77636b47fc9e1bc61a4a019371e09390
SHA1

615275ae7a28ee86cd9f4f586a3c7c5366490444
SHA256

7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277
SHA512

ea73fe48dc36d0dd2344e3389bb70a7f047a210f08578bdb5ff4e690e3f95fab0412edcb52819234ca28ff0d983fa8646bc1e2e76f1134df937896f115f8c37d

Score

10^/10

PhoenixStealer
PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.
stealer phoenixstealer
Suspicious use of SetThreadContext 1 IoCs

Processes:

q.exe

description pid process target process

PID 1416 set thread context of 213252 1416 q.exe AppLaunch.exe

description	pid	process	target process
PID 1416 set thread context of 213252	1416	q.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

q.exe

description	pid	process	target process
PID 1416 wrote to memory of 213252	1416	q.exe	AppLaunch.exe
PID 1416 wrote to memory of 213252	1416	q.exe	AppLaunch.exe
PID 1416 wrote to memory of 213252	1416	q.exe	AppLaunch.exe
PID 1416 wrote to memory of 213252	1416	q.exe	AppLaunch.exe
PID 1416 wrote to memory of 213252	1416	q.exe	AppLaunch.exe
PID 1416 wrote to memory of 213252	1416	q.exe	AppLaunch.exe
PID 1416 wrote to memory of 213252	1416	q.exe	AppLaunch.exe
PID 1416 wrote to memory of 213252	1416	q.exe	AppLaunch.exe
PID 1416 wrote to memory of 213252	1416	q.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\q.exe
"C:\Users\Admin\AppData\Local\Temp\q.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:213252

memory/1416-65-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/213252-54-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/213252-56-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/213252-63-0x0000000000454CB9-mapping.dmp

Download
memory/213252-64-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/213252-66-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/213252-67-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download