Phoenix[.]zip | Triage

General

Target

Phoenix.zip
Size

1.9MB
MD5

0c52c6c075eea0e8b661993c4385020b
SHA1

a1a5f65751c50a3dbffac714b7a36b494b36c7e7
SHA256

d4c95bd2cf5f9cdbf977c692742619bd077e613058f55791118269efb6517f7d
SHA512

439f79da25de48112f16dff668feb16df681beb087a990f00ad6e6eb36988e289245272ebd81c37cb0c93c2cbde6be688509eba669f3dbd1424c4843cdeadec5
SSDEEP

49152:MytXbvwKF50ZMQlpnR7UPoQf8wtzxFN/BaiEI5OKFGxJmy2u77:MytbDFC9lL7UPoBc/B9EI5OK8JV2c7

Score

7^/10

agilenet

Malware Config

Signatures

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
static1/unpack001/Phoenix/extatent.dll	agile_net

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Phoenix/Phoenix.exe
unpack001/Phoenix/extatent.dll

Files

Phoenix.zip
.zip
Phoenix/Phoenix.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\User\Desktop\Phoenix\Phoenix\bin\Release\Secured\Phoenix.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 133KB - Virtual size: 133KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Phoenix/extatent.dll
.dll windows:4 windows x86 arch:x86

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Users\erand\Dropbox\Dev\ag.v66\Libraries\VMRuntime\obj\Trial\AgileDotNet.VMRuntime.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 48KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 1.9MB - Virtual size: 1.9MB

.rsrc Size: 133KB - Virtual size: 133KB

.reloc Size: 512B - Virtual size: 12B

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 48KB - Virtual size: 47KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

.text
Size: 1.9MB - Virtual size: 1.9MB

.rsrc
Size: 133KB - Virtual size: 133KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 48KB - Virtual size: 47KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B