phoenixstealer

General

Target

haha.exe
Size

3.0MB
Sample

220707-jx1v7agabp
MD5

9984a772edde2f48200fe346b4ef8547
SHA1

c8760bb8c67926372461f2a43471ac1466c024ed
SHA256

9f2c2e2bcc9acf06fde3c0066db3befe4f89dad3cc66821c1633c5491eb10a5e
SHA512

e144e0f43888e503a0c866bcc059e3152a5fa4464232d3e2df5bc559b55e9a8128070bbc353ec8ca427187abc58ddd37ff211a071bbbe2200395590ead1ba1da

Score

10^/10

Malware Config

Targets

- Target
  
  haha.exe
- Size
  
  3.0MB
- MD5
  
  9984a772edde2f48200fe346b4ef8547
- SHA1
  
  c8760bb8c67926372461f2a43471ac1466c024ed
- SHA256
  
  9f2c2e2bcc9acf06fde3c0066db3befe4f89dad3cc66821c1633c5491eb10a5e
- SHA512
  
  e144e0f43888e503a0c866bcc059e3152a5fa4464232d3e2df5bc559b55e9a8128070bbc353ec8ca427187abc58ddd37ff211a071bbbe2200395590ead1ba1da
Score

10^/10

phoenixstealer xmrig evasion miner stealer suricata
- Modifies security service
  evasion
- PhoenixStealer
  PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.
  stealer phoenixstealer
- Suspicious use of NtCreateUserProcessOtherParentProcess
- suricata: ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil
  suricata: ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil
  suricata
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner Payload
  miner
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Modifies security service

Suspicious use of NtCreateUserProcessOtherParentProcess

suricata: ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil

xmrig

XMRig Miner Payload

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Checks computer location settings

Drops startup file

Loads dropped DLL

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2