General

  • Target

    Phoenix.rar

  • Size

    17.5MB

  • Sample

    240907-22pylasgnf

  • MD5

    10a7a676d6d8e7a84a7c3f1460f7bcd8

  • SHA1

    bc878368d1e739de405d79290277b37a374685b6

  • SHA256

    7864b6a28009122c9200cc8bef5d0ba9a5389fe2662bf6e58c714ec9d10aa560

  • SHA512

    fa918dc96744bb8b87232c6dbccae8c1a09285875ea6adc64dc990fcc84e8e66fe8edc1857399cba7944dd3590a783409255210200d2ace4520c3098833c0185

  • SSDEEP

    393216:Y6MxPwaKuIQezjboK9Vs3VH+1byJFGrtVNLkY7HIXY8hxZ:Y6xaKuIRjbr9K39xGrZnHgY8hv

Malware Config

Targets

    • Target

      Phoenix/Phoenix.exe

    • Size

      13.3MB

    • MD5

      f8182a874096aa691a180479123d8beb

    • SHA1

      9d740987406b45008d39b7ac499541b36eae082f

    • SHA256

      d2f8b4c9a80a2f276be93be766a552c5a1b429fcda93a8091e8f5615465800df

    • SHA512

      4db51e79ebdaed7774952a6189970bfd58521111f3bbcc5a3c7e6d9ff27fc1296feba5527a55b17ba41190774d3feb340975f94ec4877bcb4edb2c567995f7b6

    • SSDEEP

      196608:xhbCj0/sPdlV/wTQPb4FJ9Bawp5tC4OjmFQR4MVGFtwLPIrlvnL2hVUJz:PZ/sxwYaLPp5tC3KtM5LPIdGSz

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • Target

      Phoenix/extatent.dll

    • Size

      50KB

    • MD5

      4e6b9cd76713ec5af29998eb790a3e5a

    • SHA1

      66b246f6df2c83dff2dc702602eeeb24ac300582

    • SHA256

      44f76629435b429bba3cc08fca63a8f6a8e460268a0792a9e76cda3162655b95

    • SHA512

      b8b28d69493305e899f017e5c7203ef31f188e520dae3e56bc008b8f34fdc20759333f1ac0bf81ab5191492ccf27f19df6970d600be2906f96e263f74db5cf92

    • SSDEEP

      768:e4gOx89NGERw2A11HI+bFK603JLw8MdErPPPwZVTkeJbT1ehphQ:eDGB2KHIwoKyPPyqeJl+phQ

    Score
    1/10
    • Target

      Phoenix/selenium-manager/linux/selenium-manager

    • Size

      4.3MB

    • MD5

      6a956ddd8f1e71ca2707aedb59a7f779

    • SHA1

      d12c5efd25bb9b0b77054f4a83a38504094f240d

    • SHA256

      b7c8968038e9112e6cb549a0b58172ab53658262946835ff39c041ec44c871b8

    • SHA512

      186c91a19b4f1f2ff9bc14b144ca109ef6599a21d126472c90e2022ed26b20cf878ecd9758a069b0c4ba768cc3621150269f861810b8284e146405bc227b8e63

    • SSDEEP

      49152:d/M6p1KU1mIU6ifVovQfFAtDa6E4alFSmcrTKbalFMeDYieEhEQ/Lic1XgAcTaMK:tR1Kq+yhukbLN

    Score
    1/10
    • Target

      Phoenix/selenium-manager/macos/selenium-manager

    • Size

      3.6MB

    • MD5

      4e3e74d882f2a2ef2f983f65077d7b10

    • SHA1

      112bd6ffdc55f8ec2d0bbaaac2b72edf679e6e3d

    • SHA256

      81a2056f4616f8ba3ef50c3a81db3f4963565cac1da46f57688fe455ac73763c

    • SHA512

      d51f7cf7e11a7c199d28a0fe8f9020a1113e5aac8625392a9a8ba07c7d3328decd7ace47c26fba1e9b64f17a1c119770df63c3fd31d31a8d64081ec5d7a80003

    • SSDEEP

      49152:x/MxNkflKGKhmGV7ALIut7Fulx/DyWwNOlvMqVBBhxtEDu7bQzVktjsNaOaIVqE7:mO/GVlx/rx70zV+sw1Ew62+tl5LHTd

    Score
    1/10
    • Target

      Phoenix/selenium-manager/windows/selenium-manager.exe

    • Size

      3.0MB

    • MD5

      b97e5ecdfd825a3a31183927e23e0199

    • SHA1

      ab3d793868cc689699ce35d27e53cd0b8db76fcf

    • SHA256

      c99709759258ae4a7174e23d395801f1e709f743d12ffe3e00bc638ae59fadfb

    • SHA512

      61a8e401013d3fb04be465bab2eeb943585e11ae7249b5cfd16fcd1fdc12a433151c1e701a202c6b9a5ccbb4254d6b60b91da787e9666028c7190a2d6ced64f2

    • SSDEEP

      49152:GgD4UMNOYj788gbCe85TGHwHG9Xg2s1+2IU6iYuCoh0ueLi:G396Cfp4Xg2t+FC

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks