Overview

overview

10

Static

static

5

smes.exe

windows7-x64

10

smes.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    smes.exe

  • Size

    1.1MB

  • Sample

    220731-f2ypvabecn

  • MD5

    2c9f626447ae964cea8cc43daf078e70

  • SHA1

    e6f9fed713f822348c289ab37e1e559f6738865e

  • SHA256

    1650fa7dfd5cc553776b130e27195d407ab18a356773e0c4b471102764ef25dd

  • SHA512

    65ccfa2a7ad4167aa157ece29906411dc2a4dd45027520e89f1a29c3a4ef6315b404c8ecf3a54f7b7ab348635b813f0a96f762ba2633d4499f9a56eb53978449

Score
10/10
phoenixcollectionkeyloggerstealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    bhavnatutor.com
  • Port:
    587
  • Username:
    sales@bhavnatutor.com
  • Password:
    Onyeoba111

Targets

    • Target

      smes.exe

    • Size

      1.1MB

    • MD5

      2c9f626447ae964cea8cc43daf078e70

    • SHA1

      e6f9fed713f822348c289ab37e1e559f6738865e

    • SHA256

      1650fa7dfd5cc553776b130e27195d407ab18a356773e0c4b471102764ef25dd

    • SHA512

      65ccfa2a7ad4167aa157ece29906411dc2a4dd45027520e89f1a29c3a4ef6315b404c8ecf3a54f7b7ab348635b813f0a96f762ba2633d4499f9a56eb53978449

    Score
    10/10
    phoenixcollectionkeyloggerstealer

    • Phoenix Keylogger

      Phoenix is a keylogger and info stealer first seen in July 2019.

      stealerkeyloggerphoenix

    • Phoenix Keylogger payload

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks