5b438029e5a3e3843b22f8f49fa1ccac728eeced3f923426be8b22c35b27b6f6 | Triage

Sharing

General

Target

9ed9ad87a1564fbb5e1b652b3e7148c8.zip
Size

8.2MB
Sample

230403-cbemhade6s
MD5

811261c11c9e661ca2f50e60b27e3ee9
SHA1

b90a37af5049d49b10035c735144faba1fe83351
SHA256

5b438029e5a3e3843b22f8f49fa1ccac728eeced3f923426be8b22c35b27b6f6
SHA512

97f088a084116ce0483f285500e80d7e10229bd7f4a77a0f376362a94d7a415001f14c05bc4cfc99af3380217bc68a9c894e773ea37977231403b3850264227e
SSDEEP

196608:14VOXy9uIVXwYaqgN2CCHOxEXqRE4BAPVRQnU+C2mFy:1iluwXwYKNnUOuXqG2APVun53

Score

10^/10

miner persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/jkh36/d/main/bild.exe

exe.dropper

https://raw.githubusercontent.com/jkh36/d/main/PhoenixMiner.exe

Targets

- Target
  
  3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89.exe
- Size
  
  8.3MB
- MD5
  
  9ed9ad87a1564fbb5e1b652b3e7148c8
- SHA1
  
  0c001b7e9615cbc22eac2a324d8deb7eaf069ff7
- SHA256
  
  3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89
- SHA512
  
  e49e403a73ff1d10111d23cc70ae95ffae63abbc4a52cfc52c447ee9f15e76ab44f07d0f41e3b3e63a73a07e7748b8ac7ed8c997f1051a10ca5fad1dace4183a
- SSDEEP
  
  196608:8eOr3LD6MZ+NL0j/YjNV4p9eLDZPhujwk8kAb+RWvqWd6qmgNSN:8TbnQYiN2eRPhSwhk8s46C4N
Score

10^/10

miner persistence
- Detectes Phoenix Miner Payload
  miner
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

minerpersistence