Malware Analysis Report

2025-01-19 05:02

Sample ID 230827-k2qfpagf22
Target smes.exe
SHA256 1650fa7dfd5cc553776b130e27195d407ab18a356773e0c4b471102764ef25dd
Tags
phoenix keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1650fa7dfd5cc553776b130e27195d407ab18a356773e0c4b471102764ef25dd

Threat Level: Known bad

The file smes.exe was found to be: Known bad.

Malicious Activity Summary

phoenix keylogger stealer

Phoenix Keylogger

Phoenix Keylogger payload

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-08-27 09:06

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-27 09:06

Reported

2023-08-27 09:08

Platform

win7-20230712-en

Max time kernel

117s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\smes.exe"

Signatures

Phoenix Keylogger

stealer keylogger phoenix

Phoenix Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ifconfig.me N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2208 set thread context of 2220 N/A C:\Users\Admin\AppData\Local\Temp\smes.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\smes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smes.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\smes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smes.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\smes.exe

"C:\Users\Admin\AppData\Local\Temp\smes.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ifconfig.me udp
US 34.160.111.145:80 ifconfig.me tcp
US 8.8.8.8:53 bhavnatutor.com udp
US 162.211.86.20:587 bhavnatutor.com tcp

Files

memory/2208-0-0x00000000003A0000-0x00000000003BF000-memory.dmp

memory/2208-1-0x0000000000380000-0x0000000000381000-memory.dmp

memory/2220-2-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2220-3-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2220-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2220-9-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2220-10-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2220-12-0x0000000000500000-0x0000000000538000-memory.dmp

memory/2220-11-0x00000000740A0000-0x000000007478E000-memory.dmp

memory/2220-13-0x0000000004990000-0x00000000049D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarB1BA.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2220-51-0x00000000740A0000-0x000000007478E000-memory.dmp

memory/2220-52-0x0000000004990000-0x00000000049D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-27 09:06

Reported

2023-08-27 09:08

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\smes.exe"

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A ifconfig.me N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1560 set thread context of 3760 N/A C:\Users\Admin\AppData\Local\Temp\smes.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\smes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smes.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\smes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smes.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\smes.exe

"C:\Users\Admin\AppData\Local\Temp\smes.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 254.5.248.8.in-addr.arpa udp
US 8.8.8.8:53 ifconfig.me udp
US 34.160.111.145:80 ifconfig.me tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
US 8.8.8.8:53 bhavnatutor.com udp
US 162.211.86.20:587 bhavnatutor.com tcp
US 8.8.8.8:53 20.86.211.162.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/1560-0-0x00000000034E0000-0x00000000034FF000-memory.dmp

memory/1560-1-0x0000000003500000-0x0000000003501000-memory.dmp

memory/3760-2-0x0000000000600000-0x0000000000624000-memory.dmp

memory/3760-6-0x00000000742A0000-0x0000000074A50000-memory.dmp

memory/3760-7-0x0000000004C90000-0x0000000004CA0000-memory.dmp

memory/3760-8-0x0000000005710000-0x0000000005CB4000-memory.dmp

memory/3760-9-0x0000000005200000-0x000000000529C000-memory.dmp

memory/3760-10-0x0000000005650000-0x00000000056B6000-memory.dmp

memory/3760-11-0x00000000064C0000-0x0000000006552000-memory.dmp

memory/3760-12-0x0000000006490000-0x000000000649A000-memory.dmp

memory/3760-13-0x00000000742A0000-0x0000000074A50000-memory.dmp

memory/3760-14-0x0000000004C90000-0x0000000004CA0000-memory.dmp