phoenix | ebd6e7a18412487ccec4124f22d008ac12208b6293cfeda0f5b0f9c44b04da4f

General

Target

ebd6e7a18412487ccec4124f22d008ac12208b6293cfeda0f5b0f9c44b04da4f
Size

295KB
Sample

220731-l4l2qaahc3
MD5

0422c8104b8ab43d478bbfd4c7a80691
SHA1

75999415069b5663fd30147b81ad12f95879e8f1
SHA256

ebd6e7a18412487ccec4124f22d008ac12208b6293cfeda0f5b0f9c44b04da4f
SHA512

42c8e80cd8c7cf5f5d5653819baaa9fd06a3934e39efbd5ec2b35bc3b48a34dec38004acd40859e342d5f75f2bc8c8dc02836ea27d103ef6aa523f393891f243

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
server161.web-hosting.com
Port:
587
Username:
[email protected]
Password:
;C36V-Ye+Q)-

Targets

- Target
  
  ebd6e7a18412487ccec4124f22d008ac12208b6293cfeda0f5b0f9c44b04da4f
- Size
  
  295KB
- MD5
  
  0422c8104b8ab43d478bbfd4c7a80691
- SHA1
  
  75999415069b5663fd30147b81ad12f95879e8f1
- SHA256
  
  ebd6e7a18412487ccec4124f22d008ac12208b6293cfeda0f5b0f9c44b04da4f
- SHA512
  
  42c8e80cd8c7cf5f5d5653819baaa9fd06a3934e39efbd5ec2b35bc3b48a34dec38004acd40859e342d5f75f2bc8c8dc02836ea27d103ef6aa523f393891f243
Score

10^/10

phoenix collection keylogger spyware stealer
- Phoenix Keylogger
  Phoenix is a keylogger and info stealer first seen in July 2019.
  stealer keylogger phoenix
- Phoenix Keylogger payload
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Phoenix Keylogger

Phoenix Keylogger payload

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2