phoenixstealer | 51dc6776b701b58d659f6bc4e63a4ba9e4513032c42673599d921214998fae31 | Triage

Analysis

max time kernel
64s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2022 20:01

Sharing

Report Analysis Logs

General

Target

Aimware.exe
Size

2.9MB
MD5

23301af32cde00bcdadb0c8cfb1b2baa
SHA1

b563a48f99dd31a887f3c7f9726b993ce762d8db
SHA256

51dc6776b701b58d659f6bc4e63a4ba9e4513032c42673599d921214998fae31
SHA512

4d1c5b34fbafcc1cabc40506f0189d53459181c3dc68f7806d77cb5fd55af6e682b8f90059e7c6b8c8d1db5479e5a865f69f8b9c74887c03166258befd3965f8
SSDEEP

49152:hW7mcjVWm4OzAuqHf74Y3AX90DU2xF4l3/:hW7mcRWVOhy7FbDU2xFS

Score

10^/10

phoenixstealer stealer

Malware Config

Signatures

PhoenixStealer
PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.
stealer phoenixstealer

Suspicious use of SetThreadContext 1 IoCs

Processes:

Aimware.exe

description	pid	Process	procid_target
PID 692 set thread context of 202336	692	Aimware.exe	97

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid	Process
202336	AppLaunch.exe
202336	AppLaunch.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Aimware.exe

description	pid	Process	procid_target
PID 692 wrote to memory of 202336	692	Aimware.exe	97
PID 692 wrote to memory of 202336	692	Aimware.exe	97
PID 692 wrote to memory of 202336	692	Aimware.exe	97
PID 692 wrote to memory of 202336	692	Aimware.exe	97
PID 692 wrote to memory of 202336	692	Aimware.exe	97

C:\Users\Admin\AppData\Local\Temp\Aimware.exe
"C:\Users\Admin\AppData\Local\Temp\Aimware.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:202336

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/202336-132-0x0000000000000000-mapping.dmp

Download
memory/202336-133-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/202336-140-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download