Malware Analysis Report

2025-01-19 05:02

Sample ID 220724-zqyp9agag5
Target ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea
SHA256 ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea
Tags
phoenix collection keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea

Threat Level: Known bad

The file ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea was found to be: Known bad.

Malicious Activity Summary

phoenix collection keylogger spyware stealer

Phoenix Keylogger

Phoenix Keylogger payload

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Suspicious use of AdjustPrivilegeToken

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-24 20:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-24 20:55

Reported

2022-07-25 17:45

Platform

win7-20220718-en

Max time kernel

45s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe"

Signatures

Phoenix Keylogger

stealer keylogger phoenix

Phoenix Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ifconfig.me N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe

"C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ifconfig.me udp
US 34.160.111.145:80 ifconfig.me tcp
US 8.8.8.8:53 smtp.sclooke.com udp

Files

memory/1908-54-0x0000000000E00000-0x0000000000E24000-memory.dmp

memory/1908-55-0x0000000000360000-0x000000000039A000-memory.dmp

memory/1908-56-0x00000000768F1000-0x00000000768F3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-24 20:55

Reported

2022-07-25 17:46

Platform

win10v2004-20220722-en

Max time kernel

76s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe"

Signatures

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ifconfig.me N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe

"C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe"

Network

Country Destination Domain Proto
NL 142.250.179.206:80 tcp
IE 20.50.80.210:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 ifconfig.me udp
US 34.160.111.145:80 ifconfig.me tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 smtp.sclooke.com udp

Files

memory/2384-132-0x00000000001C0000-0x00000000001E4000-memory.dmp

memory/2384-133-0x00000000055A0000-0x0000000005B44000-memory.dmp

memory/2384-134-0x00000000050E0000-0x000000000517C000-memory.dmp

memory/2384-135-0x0000000006000000-0x0000000006066000-memory.dmp

memory/2384-136-0x00000000065D0000-0x0000000006792000-memory.dmp

memory/2384-137-0x0000000006520000-0x00000000065B2000-memory.dmp

memory/2384-138-0x00000000064F0000-0x00000000064FA000-memory.dmp