General
-
Target
Phoenix.rar
-
Size
17.5MB
-
Sample
240907-22pylasgnf
-
MD5
10a7a676d6d8e7a84a7c3f1460f7bcd8
-
SHA1
bc878368d1e739de405d79290277b37a374685b6
-
SHA256
7864b6a28009122c9200cc8bef5d0ba9a5389fe2662bf6e58c714ec9d10aa560
-
SHA512
fa918dc96744bb8b87232c6dbccae8c1a09285875ea6adc64dc990fcc84e8e66fe8edc1857399cba7944dd3590a783409255210200d2ace4520c3098833c0185
-
SSDEEP
393216:Y6MxPwaKuIQezjboK9Vs3VH+1byJFGrtVNLkY7HIXY8hxZ:Y6xaKuIRjbr9K39xGrZnHgY8hv
Behavioral task
behavioral1
Sample
Phoenix/Phoenix.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
Phoenix/extatent.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Phoenix/selenium-manager/linux/selenium-manager
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
Phoenix/selenium-manager/macos/selenium-manager
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Phoenix/selenium-manager/windows/selenium-manager.exe
Resource
win10v2004-20240802-en
Malware Config
Targets
-
-
Target
Phoenix/Phoenix.exe
-
Size
13.3MB
-
MD5
f8182a874096aa691a180479123d8beb
-
SHA1
9d740987406b45008d39b7ac499541b36eae082f
-
SHA256
d2f8b4c9a80a2f276be93be766a552c5a1b429fcda93a8091e8f5615465800df
-
SHA512
4db51e79ebdaed7774952a6189970bfd58521111f3bbcc5a3c7e6d9ff27fc1296feba5527a55b17ba41190774d3feb340975f94ec4877bcb4edb2c567995f7b6
-
SSDEEP
196608:xhbCj0/sPdlV/wTQPb4FJ9Bawp5tC4OjmFQR4MVGFtwLPIrlvnL2hVUJz:PZ/sxwYaLPp5tC3KtM5LPIdGSz
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
-
-
Target
Phoenix/extatent.dll
-
Size
50KB
-
MD5
4e6b9cd76713ec5af29998eb790a3e5a
-
SHA1
66b246f6df2c83dff2dc702602eeeb24ac300582
-
SHA256
44f76629435b429bba3cc08fca63a8f6a8e460268a0792a9e76cda3162655b95
-
SHA512
b8b28d69493305e899f017e5c7203ef31f188e520dae3e56bc008b8f34fdc20759333f1ac0bf81ab5191492ccf27f19df6970d600be2906f96e263f74db5cf92
-
SSDEEP
768:e4gOx89NGERw2A11HI+bFK603JLw8MdErPPPwZVTkeJbT1ehphQ:eDGB2KHIwoKyPPyqeJl+phQ
Score1/10 -
-
-
Target
Phoenix/selenium-manager/linux/selenium-manager
-
Size
4.3MB
-
MD5
6a956ddd8f1e71ca2707aedb59a7f779
-
SHA1
d12c5efd25bb9b0b77054f4a83a38504094f240d
-
SHA256
b7c8968038e9112e6cb549a0b58172ab53658262946835ff39c041ec44c871b8
-
SHA512
186c91a19b4f1f2ff9bc14b144ca109ef6599a21d126472c90e2022ed26b20cf878ecd9758a069b0c4ba768cc3621150269f861810b8284e146405bc227b8e63
-
SSDEEP
49152:d/M6p1KU1mIU6ifVovQfFAtDa6E4alFSmcrTKbalFMeDYieEhEQ/Lic1XgAcTaMK:tR1Kq+yhukbLN
Score1/10 -
-
-
Target
Phoenix/selenium-manager/macos/selenium-manager
-
Size
3.6MB
-
MD5
4e3e74d882f2a2ef2f983f65077d7b10
-
SHA1
112bd6ffdc55f8ec2d0bbaaac2b72edf679e6e3d
-
SHA256
81a2056f4616f8ba3ef50c3a81db3f4963565cac1da46f57688fe455ac73763c
-
SHA512
d51f7cf7e11a7c199d28a0fe8f9020a1113e5aac8625392a9a8ba07c7d3328decd7ace47c26fba1e9b64f17a1c119770df63c3fd31d31a8d64081ec5d7a80003
-
SSDEEP
49152:x/MxNkflKGKhmGV7ALIut7Fulx/DyWwNOlvMqVBBhxtEDu7bQzVktjsNaOaIVqE7:mO/GVlx/rx70zV+sw1Ew62+tl5LHTd
Score1/10 -
-
-
Target
Phoenix/selenium-manager/windows/selenium-manager.exe
-
Size
3.0MB
-
MD5
b97e5ecdfd825a3a31183927e23e0199
-
SHA1
ab3d793868cc689699ce35d27e53cd0b8db76fcf
-
SHA256
c99709759258ae4a7174e23d395801f1e709f743d12ffe3e00bc638ae59fadfb
-
SHA512
61a8e401013d3fb04be465bab2eeb943585e11ae7249b5cfd16fcd1fdc12a433151c1e701a202c6b9a5ccbb4254d6b60b91da787e9666028c7190a2d6ced64f2
-
SSDEEP
49152:GgD4UMNOYj788gbCe85TGHwHG9Xg2s1+2IU6iYuCoh0ueLi:G396Cfp4Xg2t+FC
Score3/10 -
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3