Malware Analysis Report

2024-09-22 15:25

Sample ID 220717-s9xhzaegdj
Target 1.bin
SHA256 00926795599d6af73ade5d42b97d88a487024f3169dd625bf20d213a6a3ecba3
Tags
phoenixstealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

00926795599d6af73ade5d42b97d88a487024f3169dd625bf20d213a6a3ecba3

Threat Level: Known bad

The file 1.bin was found to be: Known bad.

Malicious Activity Summary

phoenixstealer stealer

PhoenixStealer

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2022-07-17 15:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-17 15:50

Reported

2022-07-17 15:52

Platform

win7-20220715-en

Max time kernel

45s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Signatures

PhoenixStealer

stealer phoenixstealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 856 set thread context of 201156 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

N/A

Files

memory/201156-54-0x0000000000090000-0x000000000011E000-memory.dmp

memory/201156-56-0x0000000000090000-0x000000000011E000-memory.dmp

memory/201156-63-0x00000000000E4CB9-mapping.dmp

memory/201156-64-0x0000000075321000-0x0000000075323000-memory.dmp

memory/201156-65-0x0000000000090000-0x000000000011E000-memory.dmp

memory/201156-66-0x0000000000090000-0x000000000011E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-17 15:50

Reported

2022-07-17 15:53

Platform

win10v2004-20220414-en

Max time kernel

173s

Max time network

184s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Signatures

PhoenixStealer

stealer phoenixstealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2324 set thread context of 202864 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

Country Destination Domain Proto
NL 8.238.24.126:80 tcp
NL 8.238.24.126:80 tcp
NL 8.238.24.126:80 tcp
US 8.247.211.126:80 tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
IE 52.109.76.31:443 tcp
US 8.247.211.254:80 tcp
US 8.253.208.121:80 tcp

Files

memory/202864-130-0x0000000000000000-mapping.dmp

memory/202864-131-0x0000000000400000-0x000000000048E000-memory.dmp

memory/202864-138-0x0000000000400000-0x000000000048E000-memory.dmp