Edit tour

Windows Analysis Report
Phoenix Service Tool V5.6.exe

Overview

General Information

Sample name:	Phoenix Service Tool V5.6.exe
Analysis ID:	1539249
MD5:	f60b09fd39c1bfb5b38cdcddbd735fec
SHA1:	6988749c6c885ff957cb2be7a477e1caaa5f50f9
SHA256:	d6d327be485e5f88f4788998b5acccb18f86da34f7fe5f1cf193a50a486705cc
Tags:	exeuser-ORDINESOUND
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Switches to a custom stack to bypass stack traces

Tries to evade analysis by execution special instruction (VM detection)

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Checks if the current process is being debugged

Entry point lies outside standard sections

JA3 SSL client fingerprint seen in connection with other malware

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

Phoenix Service Tool V5.6.exe (PID: 2304 cmdline: "C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe" MD5: F60B09FD39C1BFB5B38CDCDDBD735FEC)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.7% probability

Source: Phoenix Service Tool V5.6.exe, 00000000.00000002.2953307052.0000000000841000.00000020.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_d65735be-b

Source: Phoenix Service Tool V5.6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.4.246:443 -> 192.168.2.4:49736 version: TLS 1.2

Source: Phoenix Service Tool V5.6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View

JA3 fingerprint: fd80fa9c6120cdeea8520510f3c644ac

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: apiv3.phoenixservicetool.net

Source: unknown

HTTP traffic detected: POST /update HTTP/1.0Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 787Authorization: Bearer NTA3Nzc5RkJCN0JFN0FBQUFDNDhDMjQwMzVDQjA0NEFDRTAxMUFFMjMwNTE3NjBDNDg4OEE4MDNDRUI4MUQ0QzhDMUY3QjQyMzgxNjY5QkQ0ODJCRDA2OTRGMzQ3NTgxMEU2NUUyNDMyMTkzMzA4QzFERjMxNzg3MkI4NjYwMERCODA3ODlENUQzMkEzQTM0NTc1QkYxM0JBODBGMDFDRjk3MDkwQUM2Q0ZDOUE3NDFCM0Q2NEYyM0MzREIxNTMxM0VBQURDRkQ3MzQzMTFGMURBRERCMTkxQkRFM0JFRUJEMTA4RjMwQzEwQzA3NkY0QTI3MTJDOUZEQzU1OTRGRDc2NDBDNzY5RUQ0MDVBMEIxRTgyMTk0OTVCNDczMUU5NTExNEFBQjdENEEwQkMyRUYzM0NCODVDMTJFRUE2NzY2OEE5RkY5RTY3ODdCQTBFNTU2MzFBMkFDMEEzQTAxMjQ2RTY2OEY1RUNCM0Q4OTcyRTJFOTkzOEVGOURFMDk1NzUwQzRCRkQ2MjI0NDhERTNCQjQ5RkU2MDI1MjJGRUU1MzY0N0FERjFGRTZDNTI1MjM3RUFCNDAwN0M1QjE5M0M4MTQyQTQyNjQzODUyQjQyMzg1N0VDMDhFRjBENEZCMUQ5NUZGOUFGRDc4MkZBMkY2MTlDOUEwNTczNEEyQjk3NEZBREQ4M0EzRjI4NUJBQTg5MzAxMjIwQjA1RjFBRUVBOUFDREM0Njk5QzZCQjQ4RjI3NDE5RTE2NDQ0RDM0Host: apiv3.phoenixservicetool.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: PhoenixTool

Source: Phoenix Service Tool V5.6.exe, 00000000.00000002.2953307052.0000000001241000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://bit.ly/3tQUO9F
Source: Phoenix Service Tool V5.6.exe, 00000000.00000003.1893433384.000000000B31B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fontawesome.io/license/o#
Source: Phoenix Service Tool V5.6.exe, 00000000.00000002.2953307052.0000000001241000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: Phoenix Service Tool V5.6.exe, 00000000.00000002.2953307052.0000000001241000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://apiv3.phoenixservicetool.net
Source: Phoenix Service Tool V5.6.exe, 00000000.00000002.2953307052.0000000001241000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://apiv3.phoenixservicetool.net/download-file.phpU
Source: Phoenix Service Tool V5.6.exe, 00000000.00000003.1941178525.000000000CA88000.00000004.00000020.00020000.00000000.sdmp, Phoenix Service Tool V5.6.exe, 00000000.00000003.1941143458.000000000CA88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.recaptcha.net/recaptcha/api.js?onload=onloadCallback&render=explicit
Source: Phoenix Service Tool V5.6.exe, 00000000.00000002.2953307052.0000000001241000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.winsoft.sk

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736

Source: unknown

HTTPS traffic detected: 104.21.4.246:443 -> 192.168.2.4:49736 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: Phoenix Service Tool V5.6.exe	Static PE information: section name: ."eY
Source: Phoenix Service Tool V5.6.exe	Static PE information: section name: .$3(

Source: Phoenix Service Tool V5.6.exe

Static PE information: Number of sections : 14 > 10

Source: Phoenix Service Tool V5.6.exe, 00000000.00000002.2953307052.0000000000841000.00000020.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFileName vs Phoenix Service Tool V5.6.exe

Source: Phoenix Service Tool V5.6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: adbwinapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: adbwinusbapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: winusb.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: compstui.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: kernel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: libeay32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: ssleay32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe

Window found: window name: msctls_updown32

Jump to behavior

Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Phoenix Service Tool V5.6.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Phoenix Service Tool V5.6.exe

Static file information: File size 62082048 > 1048576

Source: Phoenix Service Tool V5.6.exe

Static PE information: Raw size of .$3( is bigger than: 0x100000 < 0x3b21400

Source: Phoenix Service Tool V5.6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: initial sample

Static PE information: section where entry point is pointing to: .$3(

Source: Phoenix Service Tool V5.6.exe	Static PE information: section name: .didata
Source: Phoenix Service Tool V5.6.exe	Static PE information: section name: ."eY
Source: Phoenix Service Tool V5.6.exe	Static PE information: section name: .aK8
Source: Phoenix Service Tool V5.6.exe	Static PE information: section name: .$3(

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 8EA0005 value: E9 8B 2F 06 6E	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F02F90 value: E9 7A D0 F9 91	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 8EB0007 value: E9 EB DF 08 6E	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F3DFF0 value: E9 1E 20 F7 91	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 8EC0005 value: E9 2B BA 00 6E	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76ECBA30 value: E9 DA 45 FF 91	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 8FE0008 value: E9 8B 8E F3 6D	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F18E90 value: E9 80 71 0C 92	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 8FF0005 value: E9 8B 4D C0 6C	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 75BF4D90 value: E9 7A B2 3F 93	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 9000005 value: E9 EB EB C0 6C	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 75C0EBF0 value: E9 1A 14 3F 93	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 93A0005 value: E9 8B 8A C3 6B	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 74FD8A90 value: E9 7A 75 3C 94	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 93B0005 value: E9 2B 02 C5 6B	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 75000230 value: E9 DA FD 3A 94	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 93C0005 value: E9 5B 2E B4 6D	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F02E60 value: E9 AA D1 4B 92	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 93D0005 value: E9 EB 3E B3 6D	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F03EF0 value: E9 1A C1 4C 92	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 93E0005 value: E9 DB 2F B2 6D	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F02FE0 value: E9 2A D0 4D 92	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 93F0005 value: E9 BB 2D B1 6D	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F02DC0 value: E9 4A D2 4E 92	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: AB20005 value: E9 CB 2A 3E 6C	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F02AD0 value: E9 3A D5 C1 93	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: AB30005 value: E9 7B 2B 3D 6C	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F02B80 value: E9 8A D4 C2 93	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: AB40005 value: E9 1B 2F 3C 6C	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F02F20 value: E9 EA D0 C3 93	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: AB50005 value: E9 FB 2C 3B 6C	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F02D00 value: E9 0A D3 C4 93	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: AB60005 value: E9 DB 2D 3A 6C	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F02DE0 value: E9 2A D2 C5 93	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: AB70005 value: E9 AB 3E 39 6C	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F03EB0 value: E9 5A C1 C6 93	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: AB80005 value: E9 2B 2F 38 6C	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F02F30 value: E9 DA D0 C7 93	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: AB90005 value: E9 9B 2F 37 6C	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F02FA0 value: E9 6A D0 C8 93	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: ABA0005 value: E9 0B 2D 36 6C	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F02D10 value: E9 FA D2 C9 93	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: ABB0005 value: E9 CB 3B 35 6C	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F03BD0 value: E9 3A C4 CA 93	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: ABD0005 value: E9 2B 2D 33 6C	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F02D30 value: E9 DA D2 CC 93	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: ABE0005 value: E9 4B 47 32 6C	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F04750 value: E9 BA B8 CD 93	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: ABF0005 value: E9 BB 2C 31 6C	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F02CC0 value: E9 4A D3 CE 93	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: AC00005 value: E9 5B 2B 30 6C	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F02B60 value: E9 AA D4 CF 93	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: AC10005 value: E9 6B 2B 2F 6C	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Memory written: PID: 2304 base: 76F02B70 value: E9 9A D4 D0 93	Jump to behavior

Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 88231C8
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 88B69F3
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 4E72E68
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 831E9B4
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 834D990
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 8807E9B
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 4E4A814
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 81FBC2A
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 4E25D58
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 80F45A9
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 814B3CD
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 834C951
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 8708C1A
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 88C25AA
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 4E09304
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 88DF371
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 82DFF23
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 8160DD4
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	API/Special instruction interceptor: Address: 888B7AE

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe

Special instruction interceptor: First address: 4DDD93B instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Source: Phoenix Service Tool V5.6.exe, 00000000.00000003.1941754480.00000000090C3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe	Process queried: DebugPort	Jump to behavior

Source: Phoenix Service Tool V5.6.exe, 00000000.00000002.2953307052.0000000000841000.00000020.00000001.01000000.00000003.sdmp

Binary or memory string: Shell_TrayWndSVW

Source: C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	12 Virtualization/Sandbox Evasion	1 Credential API Hooking	321 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Phoenix Service Tool V5.6.exe	5%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.indyproject.org/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
apiv3.phoenixservicetool.net	104.21.4.246	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://apiv3.phoenixservicetool.net/update	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://apiv3.phoenixservicetool.net	Phoenix Service Tool V5.6.exe, 00000000.00000002.2953307052.0000000001241000.00000020.00000001.01000000.00000003.sdmp	false		unknown
http://fontawesome.io/license/o#	Phoenix Service Tool V5.6.exe, 00000000.00000003.1893433384.000000000B31B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.winsoft.sk	Phoenix Service Tool V5.6.exe, 00000000.00000002.2953307052.0000000001241000.00000020.00000001.01000000.00000003.sdmp	false		unknown
https://apiv3.phoenixservicetool.net/download-file.phpU	Phoenix Service Tool V5.6.exe, 00000000.00000002.2953307052.0000000001241000.00000020.00000001.01000000.00000003.sdmp	false		unknown
http://www.indyproject.org/	Phoenix Service Tool V5.6.exe, 00000000.00000002.2953307052.0000000001241000.00000020.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
http://bit.ly/3tQUO9F	Phoenix Service Tool V5.6.exe, 00000000.00000002.2953307052.0000000001241000.00000020.00000001.01000000.00000003.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.4.246	apiv3.phoenixservicetool.net	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1539249
Start date and time:	2024-10-22 13:44:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Phoenix Service Tool V5.6.exe
Detection:	MAL
Classification:	mal64.evad.winEXE@1/0@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: Phoenix Service Tool V5.6.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	z547GEViTFyfCZdLZP.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	https://1drv.ms/o/c/14c2aef4e2cd9199/EmKMpCkEfbpDs04MuZdva6IBilCqbzQYZtfiLbdaioNL0w?e=E2gYSO	Get hash	malicious	Unknown	Browse	104.18.94.41
	Rechnung 22. Okt. 2024.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	SecuriteInfo.com.Trojan.PackedNET.3057.16994.22226.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	https://eu-chervongroup.powerappsportalsecurefiles.xyz/	Get hash	malicious	HtmlDropper	Browse	104.21.79.34
	https://eu-chervongroup.powerappsportalsecurefiles.xyz/	Get hash	malicious	HtmlDropper	Browse	104.18.95.41
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.53.8
	fedcap.67173a0a3d25d0.95038392.pdf	Get hash	malicious	Unknown	Browse	162.159.61.3
	articulate-360.exe	Get hash	malicious	Unknown	Browse	104.16.71.105
	http://eu.jotform.com/app/242950797754371	Get hash	malicious	Unknown	Browse	104.22.72.81

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fd80fa9c6120cdeea8520510f3c644ac	sistema_2_1_1_build2.zip	Get hash	malicious	Unknown	Browse	104.21.4.246
	SecuriteInfo.com.W32.PossibleThreat.9762.18095.exe	Get hash	malicious	Unknown	Browse	104.21.4.246
	winaudio.exe	Get hash	malicious	Unknown	Browse	104.21.4.246
	l.out.elf	Get hash	malicious	Unknown	Browse	104.21.4.246
	RT.msi	Get hash	malicious	Unknown	Browse	104.21.4.246
	Ac372JNTO6.exe	Get hash	malicious	Amadey	Browse	104.21.4.246
	6v8QbANftP.exe	Get hash	malicious	Unknown	Browse	104.21.4.246
	6v8QbANftP.exe	Get hash	malicious	Unknown	Browse	104.21.4.246
	spjYwLgrAT.exe	Get hash	malicious	Unknown	Browse	104.21.4.246
	spjYwLgrAT.exe	Get hash	malicious	Unknown	Browse	104.21.4.246

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.997016256014731
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Phoenix Service Tool V5.6.exe
File size:	62'082'048 bytes
MD5:	f60b09fd39c1bfb5b38cdcddbd735fec
SHA1:	6988749c6c885ff957cb2be7a477e1caaa5f50f9
SHA256:	d6d327be485e5f88f4788998b5acccb18f86da34f7fe5f1cf193a50a486705cc
SHA512:	dadbf518c82c35a05a8a3ff98a7b13f2e1649f7e52701f8b06910872f467979638a2f323e5bfb7c52e1cf2154bb9b8820c3cbf11c1d8ce49fdbe998c4b761d17
SSDEEP:	1572864:Ek2EBHjsRKoDtKgLIjgGbUuirzZTnE+WOaUQVAhZ+oKrE:t20jKZLIBgr1tLaUQVc6E
TLSH:	3CD7339E2EA640FAC5DE04F54B17BBF323F6C26254DA0727FA8422CB39D1B703256552
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L......f............................X.............@.......................................@......@......................q..

File Icon


Icon Hash:	077b4d6939193b06

Static PE Info

General

Entrypoint:	0x7d5dc58
Entrypoint Section:	.$3(
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FAFE82 [Mon Sep 30 19:39:46 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b336ec2b7b92eb8afebba8e321c57365

Entrypoint Preview

Instruction
push edi
push ebp
call 00007F378D067588h
sar byte ptr [esp+04h], FFFFFFA2h
movzx ecx, word ptr [esp+04h]
mov dword ptr [esi+ecx*4+02h], eax
not dx
mov dword ptr [esp+ecx], ecx
adc cx, word ptr [esi+ecx+02h]
xchg dword ptr [esp+03h], edx
add esi, 04h
movzx edx, byte ptr [edi-05h]
mov eax, A939ECB4h
not word ptr [esp+01h]
sub edi, 05h
call 00007F378D582A76h
inc ecx
pop edx
inc ecx
ror ebx, cl
inc edi
movzx edx, word ptr [edx+ebp-06h]
btc dx, 0000h
dec eax
cwde
dec eax
sub ecx, ebx
dec ebp
lea ebp, dword ptr [ebp+esi*8-00000538h]
inc bp
xor edx, eax
dec ecx
imul eax, edi
inc ecx
sar edi, cl
dec ecx
add ecx, edi
inc sp
xor edx, edx
dec eax
shr edx, 1
inc esp
and ebx, edi
dec eax
sub eax, 1209A380h
inc cx
adc edx, F7664B30h
out dx, eax
inc cx
rol edx, 1
dec eax
add eax, ebx
push esi
inc cx
neg edx
ror dword ptr [esp+esi*2-00000148h], cl
inc bp
xor eax, edx
inc ecx
mov ebp, esi
dec eax
inc ebx
dec esi
lea edx, dword ptr [esp+edx+08h]
inc edx
mov esi, dword ptr [esi+edx-000000A6h]
inc esp
sub bh, byte ptr [esp+ebx-000000D5h]
dec esp
lea edx, dword ptr [eax+edi*4+58123316h]
cwde
inc edx
mov dword ptr [ebx-000000DCh], esi
dec ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x7b0a8a0	0x71	.$3(
IMAGE_DIRECTORY_ENTRY_IMPORT	0x78bf3a0	0x1a4	.$3(
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x80b9000	0x11abe	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x80b8000	0x798	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x78c06d4	0x18	.$3(
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4595000	0xb8	.aK8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x7c7759c	0x200	.$3(
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb68fd4	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xb6a000	0x545c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xb70000	0x30ba40	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xe7c000	0x1bec4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xe98000	0x489c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xe9d000	0x6ad8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xea4000	0x71	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xea5000	0x15c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xea6000	0x5d	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
."eY	0xea7000	0x36ed166	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.aK8	0x4595000	0xfac	0x1000	51aa23867a6c76c7a151f41e4b25bd8e	False	0.0390625	data	0.3111256605983826	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.$3(	0x4596000	0x3b213d0	0x3b21400	d99a3f4a955e26f49deef58dcf4cd4c7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x80b8000	0x798	0x800	fa61a6bfdac6ccc4d5e36f953439a9d2	False	0.486328125	data	4.44241145317496	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x80b9000	0x11abe	0x11c00	78751eea37adef3d00817185f5fb214a	False	0.9770989216549296	data	7.96988313680526	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x80b9144	0x10fdf	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.000445408698401
RT_GROUP_ICON	0x80ca124	0x14	Targa image data - Map 32 x 4063 x 1 +1	English	United States	1.1
RT_VERSION	0x80ca138	0x270	data	English	United States	0.47596153846153844
RT_MANIFEST	0x80ca3a8	0x716	XML 1.0 document, ASCII text, with CRLF, LF line terminators	English	United States	0.40407938257993387

Imports

DLL	Import
SetupApi.dll	SetupDiGetClassDevsW
winmm.dll	timeEndPeriod
winspool.drv	DocumentPropertiesW
comdlg32.dll	ChooseColorW
comctl32.dll	ImageList_GetImageInfo
shell32.dll	Shell_NotifyIconW
user32.dll	CopyImage
version.dll	GetFileVersionInfoSizeW
oleaut32.dll	SafeArrayPutElement
netapi32.dll	NetWkstaGetInfo
advapi32.dll	RegSetValueExW
msvcrt.dll	_read
winhttp.dll	WinHttpGetIEProxyConfigForCurrentUser
kernel32.dll	GetVersion, GetVersionExW
bcrypt.dll	BCryptGenRandom
wsock32.dll	send
ole32.dll	IsEqualGUID
gdi32.dll	Pie
kernel32.dll	GetSystemTimeAsFileTime
kernel32.dll	HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

Exports

Name	Ordinal	Address
__dbk_fcall_wrapper	2	0x413134
dbkFCallWrapperAddr	1	0x127f648

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 22, 2024 13:45:31.484514952 CEST	49736	443	192.168.2.4	104.21.4.246
Oct 22, 2024 13:45:31.484554052 CEST	443	49736	104.21.4.246	192.168.2.4
Oct 22, 2024 13:45:31.484625101 CEST	49736	443	192.168.2.4	104.21.4.246
Oct 22, 2024 13:45:31.485477924 CEST	49736	443	192.168.2.4	104.21.4.246
Oct 22, 2024 13:45:31.485491037 CEST	443	49736	104.21.4.246	192.168.2.4
Oct 22, 2024 13:45:32.113169909 CEST	443	49736	104.21.4.246	192.168.2.4
Oct 22, 2024 13:45:32.113255024 CEST	49736	443	192.168.2.4	104.21.4.246
Oct 22, 2024 13:45:32.116781950 CEST	49736	443	192.168.2.4	104.21.4.246
Oct 22, 2024 13:45:32.116811037 CEST	443	49736	104.21.4.246	192.168.2.4
Oct 22, 2024 13:45:32.117249966 CEST	443	49736	104.21.4.246	192.168.2.4
Oct 22, 2024 13:45:32.117616892 CEST	49736	443	192.168.2.4	104.21.4.246
Oct 22, 2024 13:45:32.159329891 CEST	443	49736	104.21.4.246	192.168.2.4
Oct 22, 2024 13:45:32.159431934 CEST	49736	443	192.168.2.4	104.21.4.246
Oct 22, 2024 13:45:32.159450054 CEST	443	49736	104.21.4.246	192.168.2.4
Oct 22, 2024 13:45:32.820375919 CEST	443	49736	104.21.4.246	192.168.2.4
Oct 22, 2024 13:45:32.820506096 CEST	443	49736	104.21.4.246	192.168.2.4
Oct 22, 2024 13:45:32.820574999 CEST	49736	443	192.168.2.4	104.21.4.246
Oct 22, 2024 13:45:32.820643902 CEST	443	49736	104.21.4.246	192.168.2.4
Oct 22, 2024 13:45:32.820682049 CEST	443	49736	104.21.4.246	192.168.2.4
Oct 22, 2024 13:45:32.820736885 CEST	49736	443	192.168.2.4	104.21.4.246
Oct 22, 2024 13:45:32.825869083 CEST	49736	443	192.168.2.4	104.21.4.246
Oct 22, 2024 13:45:32.825926065 CEST	443	49736	104.21.4.246	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 22, 2024 13:45:31.418225050 CEST	64969	53	192.168.2.4	1.1.1.1
Oct 22, 2024 13:45:31.454257965 CEST	53	64969	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 22, 2024 13:45:31.418225050 CEST	192.168.2.4	1.1.1.1	0xcd3e	Standard query (0)	apiv3.phoenixservicetool.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 22, 2024 13:45:31.454257965 CEST	1.1.1.1	192.168.2.4	0xcd3e	No error (0)	apiv3.phoenixservicetool.net		104.21.4.246	A (IP address)	IN (0x0001)	false
Oct 22, 2024 13:45:31.454257965 CEST	1.1.1.1	192.168.2.4	0xcd3e	No error (0)	apiv3.phoenixservicetool.net		172.67.187.64	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

apiv3.phoenixservicetool.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	104.21.4.246	443	2304	C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 11:45:32 UTC	1045	OUT	POST /update HTTP/1.0 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 787 Authorization: Bearer NTA3Nzc5RkJCN0JFN0FBQUFDNDhDMjQwMzVDQjA0NEFDRTAxMUFFMjMwNTE3NjBDNDg4OEE4MDNDRUI4MUQ0QzhDMUY3QjQyMzgxNjY5QkQ0ODJCRDA2OTRGMzQ3NTgxMEU2NUUyNDMyMTkzMzA4QzFERjMxNzg3MkI4NjYwMERCODA3ODlENUQzMkEzQTM0NTc1QkYxM0JBODBGMDFDRjk3MDkwQUM2Q0ZDOUE3NDFCM0Q2NEYyM0MzREIxNTMxM0VBQURDRkQ3MzQzMTFGMURBRERCMTkxQkRFM0JFRUJEMTA4RjMwQzEwQzA3NkY0QTI3MTJDOUZEQzU1OTRGRDc2NDBDNzY5RUQ0MDVBMEIxRTgyMTk0OTVCNDczMUU5NTExNEFBQjdENEEwQkMyRUYzM0NCODVDMTJFRUE2NzY2OEE5RkY5RTY3ODdCQTBFNTU2MzFBMkFDMEEzQTAxMjQ2RTY2OEY1RUNCM0Q4OTcyRTJFOTkzOEVGOURFMDk1NzUwQzRCRkQ2MjI0NDhERTNCQjQ5RkU2MDI1MjJGRUU1MzY0N0FERjFGRTZDNTI1MjM3RUFCNDAwN0M1QjE5M0M4MTQyQTQyNjQzODUyQjQyMzg1N0VDMDhFRjBENEZCMUQ5NUZGOUFGRDc4MkZBMkY2MTlDOUEwNTczNEEyQjk3NEZBREQ4M0EzRjI4NUJBQTg5MzAxMjIwQjA1RjFBRUVBOUFDREM0Njk5QzZCQjQ4RjI3NDE5RTE2NDQ0RDM0 Host: apiv3.phoenixservicetool.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: PhoenixTool
2024-10-22 11:45:32 UTC	787	OUT	Data Raw: 64 61 74 61 3d 4f 55 4a 43 4e 44 63 33 51 55 45 7a 4d 6a 56 45 4d 54 4a 43 4e 54 67 30 4d 44 4d 7a 52 55 45 35 52 54 45 77 4d 6a 59 7a 51 30 46 47 4f 45 4d 34 4e 30 49 32 51 30 55 30 51 55 49 30 4d 30 59 79 4d 44 6c 44 4d 6a 68 43 4d 44 4d 33 4e 7a 4e 42 4d 44 55 35 4f 54 68 44 4d 55 59 33 51 6a 51 79 4d 7a 67 78 4e 6a 59 35 51 6b 51 30 4f 44 4a 43 52 44 41 32 4f 54 52 47 4d 7a 51 33 4e 54 67 78 4d 45 55 32 4e 55 55 79 4e 44 4d 79 4d 54 6b 7a 4d 7a 41 34 51 7a 46 45 52 6a 4d 78 4e 7a 67 33 4d 6b 49 34 4e 6a 59 77 4d 45 52 43 4f 44 41 33 4f 44 6c 45 4e 55 51 7a 4d 6b 45 7a 51 54 4d 30 4e 54 63 31 51 6b 59 78 4d 30 4a 42 4f 44 42 47 4d 44 46 44 52 6a 6b 33 4d 44 6b 77 51 55 4d 32 51 30 5a 44 4f 55 45 33 4e 44 46 43 4d 30 51 32 4e 45 59 79 4d 30 4d 7a 52 45 Data Ascii: data=OUJCNDc3QUEzMjVEMTJCNTg0MDMzRUE5RTEwMjYzQ0FGOEM4N0I2Q0U0QUI0M0YyMDlDMjhCMDM3NzNBMDU5OThDMUY3QjQyMzgxNjY5QkQ0ODJCRDA2OTRGMzQ3NTgxMEU2NUUyNDMyMTkzMzA4QzFERjMxNzg3MkI4NjYwMERCODA3ODlENUQzMkEzQTM0NTc1QkYxM0JBODBGMDFDRjk3MDkwQUM2Q0ZDOUE3NDFCM0Q2NEYyM0MzRE
2024-10-22 11:45:32 UTC	830	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 11:45:32 GMT Content-Type: text/html Connection: close vary: Accept-Encoding cache-control: no-cache,no-store x-frame-options: SAMEORIGIN cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=39CgBfH56I4rUVS%2BEp58MLA5FLVDYdMnAiEPh%2F33DfM%2FxSSTB1%2BBQNYjdVRLBiJ1ezu5HNCmL0muNwPdbJ8F5v1yRVy8ewJ%2BUXt%2FnXts6RPMJ79pMo1vlCrOwwHeagUjW%2FOK2%2BaeAhclZDQcE0AJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d693de02a672e78-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1622&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2858&recv_bytes=2490&delivery_rate=1776687&cwnd=232&unsent_bytes=0&cid=53d120ea1fc34877&ts=729&x=0"
2024-10-22 11:45:32 UTC	539	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 Data Ascii: <!DOCTYPE html><html><head> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252
2024-10-22 11:45:32 UTC	1147	IN	Data Raw: 27 3a 20 27 36 4c 65 77 55 33 34 55 41 41 41 41 41 48 76 58 71 46 4f 63 51 6c 6d 38 7a 31 4d 50 31 78 70 47 41 5a 43 59 45 65 5a 59 27 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 63 61 6c 6c 62 61 63 6b 27 3a 20 6f 6e 53 75 62 6d 69 74 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 67 72 65 63 61 70 74 63 68 61 2e 65 78 65 63 75 74 65 28 63 6f 6e 74 29 3b 0a 20 20 20 20 20 20 20 20 7d 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 70 61 6e 65 6c 20 Data Ascii: ': '6LewU34UAAAAAHvXqFOcQlm8z1MP1xpGAZCYEeZY', 'callback': onSubmit, }); grecaptcha.execute(cont); }; </script> <style> body { height: 100%; } .panel

Target ID:	0
Start time:	07:45:06
Start date:	22/10/2024
Path:	C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Phoenix Service Tool V5.6.exe"
Imagebase:	0x840000
File size:	62'082'048 bytes
MD5 hash:	F60B09FD39C1BFB5B38CDCDDBD735FEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Phoenix Service Tool V5.6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
Phoenix Service Tool V5.6.exe