Malware Analysis Report

2024-09-22 15:24

Sample ID 220707-jeng5sfbdm
Target q.exe
SHA256 7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277
Tags
phoenixstealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277

Threat Level: Known bad

The file q.exe was found to be: Known bad.

Malicious Activity Summary

phoenixstealer stealer

PhoenixStealer

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2022-07-07 07:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-07 07:35

Reported

2022-07-07 07:37

Platform

win7-20220414-en

Max time kernel

39s

Max time network

42s

Command Line

"C:\Users\Admin\AppData\Local\Temp\q.exe"

Signatures

PhoenixStealer

stealer phoenixstealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1416 set thread context of 213252 N/A C:\Users\Admin\AppData\Local\Temp\q.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\q.exe

"C:\Users\Admin\AppData\Local\Temp\q.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

N/A

Files

memory/213252-54-0x0000000000400000-0x000000000048E000-memory.dmp

memory/213252-56-0x0000000000400000-0x000000000048E000-memory.dmp

memory/213252-63-0x0000000000454CB9-mapping.dmp

memory/213252-64-0x00000000764C1000-0x00000000764C3000-memory.dmp

memory/1416-65-0x0000000000400000-0x00000000005C5000-memory.dmp

memory/213252-66-0x0000000000400000-0x000000000048E000-memory.dmp

memory/213252-67-0x0000000000400000-0x000000000048E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-07 07:35

Reported

2022-07-07 07:37

Platform

win10v2004-20220414-en

Max time kernel

143s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\q.exe"

Signatures

PhoenixStealer

stealer phoenixstealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2384 set thread context of 215196 N/A C:\Users\Admin\AppData\Local\Temp\q.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\q.exe

"C:\Users\Admin\AppData\Local\Temp\q.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

Country Destination Domain Proto
NL 20.190.160.73:443 tcp
NL 20.190.160.67:443 tcp
NL 8.248.1.254:80 tcp
US 52.168.112.67:443 tcp
IE 20.54.110.249:443 tcp
NL 20.190.160.73:443 tcp
NL 104.97.14.80:80 tcp
NL 104.97.14.80:80 tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.67:443 tcp
NL 20.190.160.136:443 tcp
NL 20.190.160.67:443 tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.136:443 tcp
NL 20.190.160.136:443 tcp

Files

memory/215196-130-0x0000000000000000-mapping.dmp

memory/215196-131-0x0000000000400000-0x000000000048E000-memory.dmp

memory/215196-138-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2384-139-0x0000000000400000-0x00000000005C5000-memory.dmp