phoenixstealer | 00926795599d6af73ade5d42b97d88a487024f3169dd625bf20d213a6a3ecba3 | Triage

Analysis

max time kernel
173s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2022, 15:50

Sharing

Report Analysis Logs

General

Target

1.exe
Size

1.8MB
MD5

428ec9e689b020e46b7b5432bd6dd758
SHA1

5127962f1fa9cfbd652d59575d1466dd673dfcc7
SHA256

00926795599d6af73ade5d42b97d88a487024f3169dd625bf20d213a6a3ecba3
SHA512

9adf153c60c0d48daf4ae6981c95a3af1725afd8ad38b387be508e2fb0e13dd4030af2a8d37a834b9b8520c71bcd732291c6333063c2560a7065d47fdef4b5a4

Score

10^/10

phoenixstealer stealer

Malware Config

Signatures

PhoenixStealer
PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.
stealer phoenixstealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 202864	2324	1.exe	79

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 202864	2324	1.exe	79
PID 2324 wrote to memory of 202864	2324	1.exe	79
PID 2324 wrote to memory of 202864	2324	1.exe	79
PID 2324 wrote to memory of 202864	2324	1.exe	79
PID 2324 wrote to memory of 202864	2324	1.exe	79

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:202864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/202864-131-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/202864-138-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download