Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    30-07-2024 05:44

General

  • Target

    Phxnt0m-malware-main/Phxnt0mware RAT - main/resources/__pycache__/discord_token_grabber.cpython-311.pyc

  • Size

    17KB

  • MD5

    6f3eceb15c82bec23053daf172029efa

  • SHA1

    85c9d84e4fbd99d19ade72a41055489a3dc1c038

  • SHA256

    b692ef85a75468a8a22b6972028b2e59ada33f69c7c91c68fa176793e31ac7ed

  • SHA512

    e6178706eaa78fff9ec9e077b79ba5c8cc1ce78ec3dd79fe5525e5d0b266e6155993ef1f544cb5fcee8fdd3336d2de8b696059d2ea400b45736ebcc32ed81f03

  • SSDEEP

    384:bGOlyAavwR9F0Rn8wyTPQviowoYbJNcWWIc05S:bvlytv49iRn8JQ6owoY1NDd5S

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Phxnt0m-malware-main\Phxnt0mware RAT - main\resources\__pycache__\discord_token_grabber.cpython-311.pyc"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Phxnt0m-malware-main\Phxnt0mware RAT - main\resources\__pycache__\discord_token_grabber.cpython-311.pyc
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Phxnt0m-malware-main\Phxnt0mware RAT - main\resources\__pycache__\discord_token_grabber.cpython-311.pyc"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    3ecbeb1103cec06a7d79a74c12582974

    SHA1

    5c4861e039e407398c72ad30ffe13ca7159e4447

    SHA256

    7cf4f32be0f73b0a5a895bc721e8bc4e12f703d3c61d1aa30cd7b9f21e9b2ed4

    SHA512

    7657e01293f0efca38e69178a498089d536ad27ed62eef6e161dab08618bff9417c7baaaa871c125ef0e5b9cb91caac0e6b799ea0ace11a8dfb6e140dc6d803e