Edit tour

Windows Analysis Report
PhoenixMiner.exe

Overview

General Information

Sample name:PhoenixMiner.exe
Analysis ID:1405274
MD5:51ff42d909a879d42eb5f0e643aab806
SHA1:affce62499d0f923f115228643a87ba5daece4e5
SHA256:c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3
Infos:

Detection

Phoenix Miner
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Phoenix Miner
Machine Learning detection for sample
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • PhoenixMiner.exe (PID: 1644 cmdline: C:\Users\user\Desktop\PhoenixMiner.exe MD5: 51FF42D909A879D42EB5F0E643AAB806)
    • conhost.exe (PID: 4392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • PhoenixMiner.exe (PID: 4256 cmdline: "C:\Users\user\Desktop\PhoenixMiner.exe" MD5: 51FF42D909A879D42EB5F0E643AAB806)
    • conhost.exe (PID: 1104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • PhoenixMiner.exe (PID: 5856 cmdline: "C:\Users\user\Desktop\PhoenixMiner.exe" MD5: 51FF42D909A879D42EB5F0E643AAB806)
    • conhost.exe (PID: 5708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
\Device\ConDrvJoeSecurity_PhoenixMinerYara detected Phoenix MinerJoe Security
    dropped/ConDrvJoeSecurity_PhoenixMinerYara detected Phoenix MinerJoe Security
      dropped/ConDrvJoeSecurity_PhoenixMinerYara detected Phoenix MinerJoe Security
        SourceRuleDescriptionAuthorStrings
        00000009.00000002.1249892819.0000025B46647000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PhoenixMinerYara detected Phoenix MinerJoe Security
          Process Memory Space: PhoenixMiner.exe PID: 1644JoeSecurity_PhoenixMinerYara detected Phoenix MinerJoe Security
            Process Memory Space: PhoenixMiner.exe PID: 4256JoeSecurity_PhoenixMinerYara detected Phoenix MinerJoe Security
              Process Memory Space: PhoenixMiner.exe PID: 5856JoeSecurity_PhoenixMinerYara detected Phoenix MinerJoe Security
                No Sigma rule has matched
                No Snort rule has matched

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: PhoenixMiner.exeAvira: detected
                Source: PhoenixMiner.exeReversingLabs: Detection: 77%
                Source: PhoenixMiner.exeVirustotal: Detection: 71%Perma Link
                Source: PhoenixMiner.exeJoe Sandbox ML: detected

                Bitcoin Miner

                barindex
                Source: Yara matchFile source: 00000009.00000002.1249892819.0000025B46647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PhoenixMiner.exe PID: 1644, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: PhoenixMiner.exe PID: 4256, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: PhoenixMiner.exe PID: 5856, type: MEMORYSTR
                Source: Yara matchFile source: \Device\ConDrv, type: DROPPED
                Source: Yara matchFile source: dropped/ConDrv, type: DROPPED
                Source: Yara matchFile source: dropped/ConDrv, type: DROPPED
                Source: PhoenixMiner.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: PhoenixMiner.exeString found in binary or memory: http://www.openssl.org/support/faq.html
                Source: PhoenixMiner.exeString found in binary or memory: http://www.openssl.org/support/faq.html.
                Source: PhoenixMiner.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: classification engineClassification label: mal68.mine.winEXE@6/3@0/0
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1104:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4392:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:120:WilError_03
                Source: PhoenixMiner.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\PhoenixMiner.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: PhoenixMiner.exeReversingLabs: Detection: 77%
                Source: PhoenixMiner.exeVirustotal: Detection: 71%
                Source: PhoenixMiner.exeString found in binary or memory: MonTueWedThuFriSatSunMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDec%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]%02d:%02d:%02d%02d:%02d0123456789abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ(nil)(nil)I32I64%ld.%ldkernel32LoadLibraryExA\/AddDllDirectory%dgetaddrinfo(3) failed for %s:%d
                Source: PhoenixMiner.exeString found in binary or memory: set-addPolicy
                Source: PhoenixMiner.exeString found in binary or memory: id-cmc-addExtensions
                Source: PhoenixMiner.exeString found in binary or memory: C:/.hunter/_Base/435b09a/61c532d/fcc182b/Build/OpenSSL/Install/ssl/private
                Source: PhoenixMiner.exeString found in binary or memory: C:/.hunter/_Base/435b09a/61c532d/fcc182b/Build/OpenSSL/Install/ssl
                Source: PhoenixMiner.exeString found in binary or memory: C:/.hunter/_Base/435b09a/61c532d/fcc182b/Build/OpenSSL/Install/ssl/certs
                Source: PhoenixMiner.exeString found in binary or memory: C:/.hunter/_Base/435b09a/61c532d/fcc182b/Build/OpenSSL/Install/ssl/cert.pem
                Source: PhoenixMiner.exeString found in binary or memory: rb.\crypto\conf\conf_lib.c name=.\crypto\conf\conf_lib.cgroup=.\crypto\conf\conf_lib.c.\crypto\conf\conf_lib.c.\crypto\conf\conf_lib.c.\crypto\conf\conf_lib.c.\crypto\conf\conf_lib.c.\crypto\conf\conf_lib.c.\crypto\conf\conf_lib.c.\crypto\conf\conf_lib.c.\crypto\conf\conf_lib.c.\crypto\conf\conf_lib.c.\crypto\conf\conf_lib.c.\crypto\conf\conf_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.c.\crypto\dso\dso_lib.cC:/.hunter/_Base/435b09a/61c532d/fcc182b/Build/OpenSSL/Install/ssl/privateC:/.hunter/_Base/435b09a/61c532d/fcc182b/Build/OpenSSL/Install/sslSSL_CERT_DIRC:/.hunter/_Base/435b09a/61c532d/fcc182b/Build/OpenSSL/Install/ssl/certsC:/.hunter/_Base/435b09a/61c532d/fcc182b/Build/OpenSSL/Install/ssl/cert.pemSSL_CERT_FILEDESX-CBCDESXDESDESX-CBCdesxdesDES-CBCDES-CBCDES-EDE3-CBCDES3DES-EDE3-CBCdes3IDEA-CBCIDEARC2IDEA-CBCidearc2SEED-CBCSEEDBF-CBCBFSEED-CBCseedBF-CBCbfRC2-CBCRC2-CBCBF-CBCblowfishAES128CAST5-CBCCASTCAST5-CBCcastCAST5-CBCCAST-cbcCAST5-CBCcast-cbcAES-128-CBCAES-128-CBCaes128AES-192-CBCAES192AES-192-CBCaes192AES-256-CBCAES256AES-256-CBCaes256CAMELLIA-128-CBCCAMELLIA128CAMELLIA-128-CBCcamellia128CAMELLIA-192-CBCCAMELLIA192CAMELLIA-192-CBCcamellia192CAMELLIA-256-CBCCAMELLIA256CAMELLIA-256-CBCcamellia256MD5MD5ssl2-md5ssl3-md5SHA1ssl3-sha1RSA-SHA1RSA-SHA1-2DSA-SHA1DSA-SHA1-oldDSA-SHA1DSS1DSA-SHA1dss1RIPEMD160ripemdRIPEMD160rmd160.\crypto\evp\evp_pbe.cNULLTYPE=.\crypto\evp\evp_pbe.c.\crypto\evp\evp_pbe.c.\crypto\evp\evp_pbe.c.\crypto\evp\evp_pbe.c.\crypto\evp\evp_pbe.c.\crypto\engine\tb_pkmeth.c.\crypto\engine\tb_asnmth.c.\crypto\engine\tb_asnmth.c.\crypto\engine\tb_asnmth.c%d%d.\crypto\ui\ui_lib.c characters to Enter :You must type in .\crypto\ui\ui_lib.c characters to You must type in .\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c for .\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\ui\ui_lib.c.\crypto\engine\tb_cipher.ca
                Source: PhoenixMiner.exeString found in binary or memory: C:/.hunter/_Base/435b09a/61c532d/fcc182b/Build/OpenSSL/Install/lib/engines
                Source: PhoenixMiner.exeString found in binary or memory: .\crypto\evp\p5_crpt2.c.\crypto\evp\p5_crpt2.c.\crypto\evp\p5_crpt2.c.\crypto\evp\p5_crpt2.c.\crypto\evp\p5_crpt2.c.\crypto\evp\p5_crpt2.ckeylen <= sizeof key.\crypto\evp\p5_crpt2.c.\crypto\evp\p5_crpt2.c.\crypto\evp\p5_crpt2.c.\crypto\evp\p5_crpt2.c.\crypto\evp\p5_crpt2.c.\crypto\evp\p5_crpt2.c.\crypto\evp\p5_crpt2.c.\crypto\evp\p5_crpt.c.\crypto\evp\p5_crpt.cEVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp).\crypto\evp\p5_crpt.cEVP_CIPHER_iv_length(cipher) <= 16.\crypto\evp\p5_crpt.c.\crypto\pkcs12\p12_crpt.c.\crypto\pkcs12\p12_crpt.c.\crypto\pkcs12\p12_crpt.c.\crypto\pkcs12\p12_crpt.cID2DIR_LOAD1DIR_ADDLIST_ADDLOADid=.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.c.\crypto\engine\eng_list.cdynamicOPENSSL_ENGINESC:/.hunter/_Base/435b09a/61c532d/fcc182b/Build/OpenSSL/Install/lib/enginesdynamic.\crypto\engine\eng_table.c.\crypto\engine\eng_table.c.\crypto\engine\eng_table.c.\crypto\engine\eng_table.c.\crypto\engine\eng_table.c.\crypto\engine\eng_table.c.\crypto\engine\eng_table.c.\crypto\engine\eng_table.c.\crypto\engine\eng_table.c.\crypto\engine\eng_table.c%lu:%s:%s:%d:%s
                Source: unknownProcess created: C:\Users\user\Desktop\PhoenixMiner.exe C:\Users\user\Desktop\PhoenixMiner.exe
                Source: C:\Users\user\Desktop\PhoenixMiner.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\Desktop\PhoenixMiner.exe "C:\Users\user\Desktop\PhoenixMiner.exe"
                Source: C:\Users\user\Desktop\PhoenixMiner.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\Desktop\PhoenixMiner.exe "C:\Users\user\Desktop\PhoenixMiner.exe"
                Source: C:\Users\user\Desktop\PhoenixMiner.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: PhoenixMiner.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: PhoenixMiner.exeStatic PE information: Image base 0x140000000 > 0x60000000
                Source: PhoenixMiner.exeStatic file information: File size 8477696 > 1048576
                Source: PhoenixMiner.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x42e600
                Source: PhoenixMiner.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x35ec00
                Source: PhoenixMiner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: PhoenixMiner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: PhoenixMiner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: PhoenixMiner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: PhoenixMiner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: PhoenixMiner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: PhoenixMiner.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: PhoenixMiner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: PhoenixMiner.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: PhoenixMiner.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: PhoenixMiner.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: PhoenixMiner.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: PhoenixMiner.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\PhoenixMiner.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PhoenixMiner.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: PhoenixMiner.exe, 00000009.00000003.1249559318.0000025B4665E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
                Source: PhoenixMiner.exe, 00000003.00000002.1134527508.000001813A1A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: PhoenixMiner.exe, 00000003.00000002.1134527508.000001813A1A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
                Source: PhoenixMiner.exe, 00000000.00000003.1035305309.00000205E82D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<<ugP
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter
                1
                DLL Side-Loading
                1
                Process Injection
                1
                Process Injection
                OS Credential Dumping1
                Security Software Discovery
                Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading
                1
                DLL Side-Loading
                LSASS Memory1
                System Information Discovery
                Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1405274 Sample: PhoenixMiner.exe Startdate: 08/03/2024 Architecture: WINDOWS Score: 68 21 Antivirus / Scanner detection for submitted sample 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 Yara detected Phoenix Miner 2->25 27 Machine Learning detection for sample 2->27 6 PhoenixMiner.exe 1 2->6         started        9 PhoenixMiner.exe 1 2->9         started        11 PhoenixMiner.exe 1 2->11         started        process3 file4 19 \Device\ConDrv, ASCII 6->19 dropped 13 conhost.exe 6->13         started        15 conhost.exe 9->15         started        17 conhost.exe 11->17         started        process5

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                PhoenixMiner.exe77%ReversingLabsWin64.Trojan.MinerPhoenix
                PhoenixMiner.exe72%VirustotalBrowse
                PhoenixMiner.exe100%AviraPUA/CoinMiner.Gen
                PhoenixMiner.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                No contacted domains info
                NameSourceMaliciousAntivirus DetectionReputation
                http://www.openssl.org/support/faq.html.PhoenixMiner.exefalse
                  high
                  https://curl.haxx.se/docs/http-cookies.htmlPhoenixMiner.exefalse
                    high
                    http://www.openssl.org/support/faq.htmlPhoenixMiner.exefalse
                      high
                      No contacted IP infos
                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1405274
                      Start date and time:2024-03-08 08:58:46 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 4m 26s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:defaultwindowsinteractivecookbook.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:24
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:1
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:PhoenixMiner.exe
                      Detection:MAL
                      Classification:mal68.mine.winEXE@6/3@0/0
                      EGA Information:Failed
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, RuntimeBroker.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, evoke-windowsservices-tas.msedge.net, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      No simulations
                      No context
                      No context
                      No context
                      No context
                      No context
                      Process:C:\Users\user\Desktop\PhoenixMiner.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):146
                      Entropy (8bit):3.9977143205202954
                      Encrypted:false
                      SSDEEP:3:quRKyFHKL8dUG1Cg6IIIKPXFOvLXQIMQDMEDg:quRpqLuUG1YC0XFO7QIRdg
                      MD5:F5D346B4D208762F7F2D185E885D51C4
                      SHA1:61DA264CDDA131ADD5D4A0191A0CD32299AAE8F7
                      SHA-256:CC70F9EACB52347975B8BDE6A17A1135BEE4EF11DBCEAD234AC8CDD0043ACE37
                      SHA-512:72B59D8C6BAF9B220E99638F1ADB7F8E5F5F3D3BB12A4CFF57BDE624E633E1F5F8C70E052F44A77095782F670FFBEE341AF6D756EC7ECD8CA47917BB4CAAAB07
                      Malicious:true
                      Yara Hits:
                      • Rule: JoeSecurity_PhoenixMiner, Description: Yara detected Phoenix Miner, Source: \Device\ConDrv, Author: Joe Security
                      Reputation:low
                      Preview:Phoenix Miner 6.2c Windows/msvc - Release build..-----------------------------------------------....Unable to open configuration file config.txt..
                      File type:PE32+ executable (console) x86-64, for MS Windows
                      Entropy (8bit):7.052756373024516
                      TrID:
                      • Win64 Executable Console (202006/5) 92.65%
                      • Win64 Executable (generic) (12005/4) 5.51%
                      • Generic Win/DOS Executable (2004/3) 0.92%
                      • DOS Executable Generic (2002/1) 0.92%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:PhoenixMiner.exe
                      File size:8'477'696 bytes
                      MD5:51ff42d909a879d42eb5f0e643aab806
                      SHA1:affce62499d0f923f115228643a87ba5daece4e5
                      SHA256:c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3
                      SHA512:bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf
                      SSDEEP:98304:4ffSHaUurGjZ95RBV7NIiHrGQ+KuEe2aqG6ONJHfmDjz3jvj7OnWe:eSHaUl95V7PLGQ/ujyN6Nm7YWe
                      TLSH:3A869D046A66F0E5D6FEF07A859B4A07E272B9D10730C6FB46E4360A1E336D1DD3A2D1
                      File Content Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$..........z...)...)...).=6)...).=4)...).=5)...):..)...)...(...)...(...)...($..)v..(...).<m)...)..T)...).<l)...)...(...)6..(...)y^.)...
                      Icon Hash:00928e8e8686b000
                      Entrypoint:0x1403b288c
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x140000000
                      Subsystem:windows cui
                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Time Stamp:0x6268B2EA [Wed Apr 27 03:05:14 2022 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:6
                      OS Version Minor:0
                      File Version Major:6
                      File Version Minor:0
                      Subsystem Version Major:6
                      Subsystem Version Minor:0
                      Import Hash:a8eb81b09f2018eee064158a9f3242cb
                      Instruction
                      dec eax
                      sub esp, 28h
                      call 00007FF83C9C0A44h
                      dec eax
                      add esp, 28h
                      jmp 00007FF83C9C009Bh
                      int3
                      int3
                      dec eax
                      lea ecx, dword ptr [0043A909h]
                      dec eax
                      jmp dword ptr [0007DE5Ah]
                      int3
                      int3
                      dec eax
                      mov dword ptr [esp+10h], ebx
                      dec eax
                      mov dword ptr [esp+18h], edi
                      push ebp
                      dec eax
                      mov ebp, esp
                      dec eax
                      sub esp, 20h
                      and dword ptr [ebp-18h], 00000000h
                      xor ecx, ecx
                      xor eax, eax
                      mov dword ptr [00424040h], 00000002h
                      cpuid
                      inc esp
                      mov eax, ecx
                      mov dword ptr [0042402Dh], 00000001h
                      xor ecx, 444D4163h
                      inc esp
                      mov ecx, edx
                      inc esp
                      mov edx, edx
                      inc ecx
                      xor ecx, 69746E65h
                      inc ecx
                      xor edx, 49656E69h
                      inc ecx
                      xor eax, 6C65746Eh
                      inc ebp
                      or edx, eax
                      inc esp
                      mov ebx, ebx
                      inc esp
                      mov eax, dword ptr [0043A8AFh]
                      inc ecx
                      xor ebx, 68747541h
                      inc ebp
                      or ebx, ecx
                      mov edx, ebx
                      inc esp
                      or ebx, ecx
                      xor edx, 756E6547h
                      xor ecx, ecx
                      mov edi, eax
                      inc esp
                      or edx, edx
                      mov eax, 00000001h
                      cpuid
                      mov dword ptr [ebp-10h], eax
                      inc esp
                      mov ecx, ecx
                      inc esp
                      mov dword ptr [ebp-08h], ecx
                      mov ecx, eax
                      mov dword ptr [ebp-0Ch], ebx
                      mov dword ptr [ebp-04h], edx
                      inc ebp
                      test edx, edx
                      jne 00007FF83C9C0274h
                      dec eax
                      or dword ptr [00423FC5h], FFFFFFFFh
                      Programming Language:
                      • [C++] VS2015 UPD1 build 23506
                      • [ C ] VS2010 SP1 build 40219
                      • [IMP] VS2008 SP1 build 30729
                      • [C++] VS2010 SP1 build 40219
                      • [C++] VS2015 UPD2 build 23918
                      • [RES] VS2015 UPD3 build 24213
                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x78cbf00x5c.rdata
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x78cc4c0xdc.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x81a0000x1e0.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x7ef0000x28434.pdata
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x81b0000x7f28.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x71fcf00x1c.rdata
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x71fd100x28.rdata
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x7110100x94.rdata
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x4300000x900.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x78c7240x60.rdata
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x42e5ac0x42e600ca7ad8ed0f6556ba86614a5138505a0funknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x4300000x35ea980x35ec00a72e786d48e3c944ad1048227e2f216aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x78f0000x5f7740x56c00fb8ccac49f5cf1e190b7aa3f4b9e8b74False0.19904989193083575data4.650395690668537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .pdata0x7ef0000x284340x286002c0c04eed735c12296db973a98d87b57False0.4941889996130031data6.3679888872063914IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .tls0x8180000x150x200adb00c88d5919bab3c4b160cbf2abed5False0.03515625data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .gfids0x8190000xf3c0x100041f6e8fedce46fcd6814e6283f5803c7False0.3701171875OpenPGP Secret Key3.9645701151051798IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .rsrc0x81a0000x1e00x2004cf3d3ea4709072c0dcdfe2d7fdd3bfeFalse0.53125data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x81b0000x7f280x8000458621cf387bc47391eed1948e7e0eb3False0.24725341796875data5.462620446927897IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_MANIFEST0x81a0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
                      DLLImport
                      PSAPI.DLLEnumProcessModules, GetModuleFileNameExA
                      CFGMGR32.dllCM_Open_DevNode_Key, CM_Locate_DevNodeW, CM_Get_Child, CM_Get_Sibling, CM_Get_DevNode_Status, CM_Get_DevNode_PropertyW, CM_Get_Device_ID_List_SizeW, CM_Get_Device_ID_ListW, CM_Get_Device_IDW
                      ADVAPI32.dllRegisterEventSourceW, ReportEventW, CryptAcquireContextA, CryptReleaseContext, CryptGenRandom, CryptGetHashParam, CryptCreateHash, CryptHashData, CryptDestroyHash, RegQueryValueExA, RegOpenKeyExA, RegCloseKey, DeregisterEventSource, RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, RegGetValueW, RegEnumValueA
                      WS2_32.dllgetpeername, inet_pton, shutdown, send, recv, freeaddrinfo, getaddrinfo, ntohs, select, getsockopt, getsockname, connect, accept, __WSAFDIsSet, WSAStringToAddressW, WSAAddressToStringW, WSASocketW, WSASend, WSARecv, WSAGetLastError, WSASetLastError, setsockopt, ntohl, listen, htons, htonl, ioctlsocket, closesocket, bind, WSACleanup, WSAStartup, socket, WSAIoctl
                      KERNEL32.dllGetACP, ReadConsoleInputA, PeekConsoleInputA, GetNumberOfConsoleInputEvents, SystemTimeToTzSpecificLocalTime, PeekNamedPipe, GetDriveTypeW, ReadFile, SetStdHandle, ExitProcess, GetModuleHandleExW, GetCommandLineW, GetCommandLineA, RtlUnwindEx, UnregisterWaitEx, QueryDepthSList, InterlockedFlushSList, GetLastError, PostQueuedCompletionStatus, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, GetCurrentThread, TlsAlloc, TlsFree, GetModuleHandleA, GetProcAddress, VerSetConditionMask, CloseHandle, SetLastError, CreateIoCompletionPort, GetQueuedCompletionStatus, WaitForSingleObject, SetWaitableTimer, QueueUserAPC, TerminateThread, TlsGetValue, TlsSetValue, WaitForMultipleObjects, VerifyVersionInfoA, WideCharToMultiByte, WaitForSingleObjectEx, ReleaseSemaphore, GetSystemTimeAsFileTime, CreateFileA, OutputDebugStringA, GetCurrentProcess, GetLocalTime, GetTickCount64, MultiByteToWideChar, FreeLibrary, WaitForMultipleObjectsEx, SetErrorMode, LoadLibraryA, DeviceIoControl, GetExitCodeProcess, CreateProcessA, ExpandEnvironmentStringsA, GetSystemDirectoryA, LoadLibraryExA, CreateSemaphoreA, GetSystemTime, SystemTimeToFileTime, SetConsoleCtrlHandler, GetStdHandle, WriteFile, SetConsoleTextAttribute, GetConsoleMode, SetConsoleMode, CreateFileW, Sleep, GetCurrentProcessId, ExitThread, OpenProcess, VirtualProtect, EnumSystemLocalesW, GetModuleHandleW, QueryFullProcessImageNameA, CreateToolhelp32Snapshot, Process32First, Process32Next, LocalFileTimeToFileTime, SetThreadExecutionState, CreateWaitableTimerA, ReadConsoleW, GlobalMemoryStatusEx, SetThreadPriority, SetEvent, ReleaseMutex, SleepEx, CreateMutexW, CreateEventW, IsBadReadPtr, IsBadWritePtr, InitOnceExecuteOnce, SetCurrentDirectoryW, GetCurrentDirectoryW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetFileAttributesW, GetFileAttributesExW, GetFileTime, GetFullPathNameW, RemoveDirectoryW, SetEndOfFile, SetFilePointerEx, HeapSize, MoveFileExW, LCMapStringW, AreFileApisANSI, QueryPerformanceFrequency, QueryPerformanceCounter, SetEnvironmentVariableA, VirtualAlloc, VirtualFree, GetSystemInfo, GetNativeSystemInfo, InitializeCriticalSection, TryEnterCriticalSection, GetCurrentThreadId, SwitchToThread, ResetEvent, GetModuleFileNameA, HeapDestroy, HeapAlloc, HeapFree, HeapReAlloc, FreeLibraryAndExitThread, HeapCreate, LocalAlloc, GetSystemDirectoryW, LocalFree, LoadLibraryExW, GetModuleFileNameW, FormatMessageA, GetFileType, FlushConsoleInputBuffer, GetTickCount, GlobalMemoryStatus, LoadLibraryW, InterlockedPushEntrySList, InterlockedPopEntrySList, GetVersionExW, GetThreadTimes, UnregisterWait, GetConsoleCP, GetDateFormatW, GetTimeFormatW, IsValidLocale, FileTimeToSystemTime, GetUserDefaultLCID, RegisterWaitForSingleObject, SetThreadAffinityMask, FlushFileBuffers, GetTimeZoneInformation, SetEnvironmentVariableW, GetProcessHeap, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetProcessAffinityMask, GetNumaHighestNodeNumber, DeleteTimerQueueTimer, ChangeTimerQueueTimer, CreateTimerQueueTimer, GetLogicalProcessorInformation, GetThreadPriority, CreateThread, SignalObjectAndWait, CreateTimerQueue, GetStartupInfoW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, VirtualQuery, RaiseException, DuplicateHandle, GetExitCodeThread, RtlPcToFileHeader, EncodePointer, DecodePointer, QueueUserWorkItem, IsProcessorFeaturePresent, GetCPInfo, CompareStringW, GetLocaleInfoW, GetStringTypeW, InitializeSListHead, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsDebuggerPresent
                      USER32.dllGetProcessWindowStation, GetUserObjectInformationW, MessageBoxW
                      ole32.dllStringFromGUID2
                      MSWSOCK.dllGetAcceptExSockaddrs, AcceptEx
                      WINTRUST.dllCryptCATAdminCalcHashFromFileHandle, CryptCATAdminEnumCatalogFromHash, CryptCATAdminReleaseCatalogContext, CryptCATAdminReleaseContext, WinVerifyTrust, CryptCATAdminAcquireContext, CryptCATCatalogInfoFromContext
                      CRYPT32.dllCertEnumCertificatesInStore, CertFreeCertificateContext, CertCloseStore, CertOpenSystemStoreA
                      NameOrdinalAddress
                      NvOptimusEnablementCuda10x140790f58
                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States
                      No network behavior found
                      Target ID:0
                      Start time:08:59:16
                      Start date:08/03/2024
                      Path:C:\Users\user\Desktop\PhoenixMiner.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\Desktop\PhoenixMiner.exe
                      Imagebase:0x7ff719430000
                      File size:8'477'696 bytes
                      MD5 hash:51FF42D909A879D42EB5F0E643AAB806
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      Target ID:1
                      Start time:08:59:17
                      Start date:08/03/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff772470000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:3
                      Start time:08:59:27
                      Start date:08/03/2024
                      Path:C:\Users\user\Desktop\PhoenixMiner.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\Desktop\PhoenixMiner.exe"
                      Imagebase:0x7ff719430000
                      File size:8'477'696 bytes
                      MD5 hash:51FF42D909A879D42EB5F0E643AAB806
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      Target ID:5
                      Start time:08:59:27
                      Start date:08/03/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff772470000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:9
                      Start time:08:59:38
                      Start date:08/03/2024
                      Path:C:\Users\user\Desktop\PhoenixMiner.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\Desktop\PhoenixMiner.exe"
                      Imagebase:0x7ff719430000
                      File size:8'477'696 bytes
                      MD5 hash:51FF42D909A879D42EB5F0E643AAB806
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_PhoenixMiner, Description: Yara detected Phoenix Miner, Source: 00000009.00000002.1249892819.0000025B46647000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      Target ID:10
                      Start time:08:59:38
                      Start date:08/03/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff772470000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      No disassembly