File name:

Phoenix Keylogger.zip

Full analysis: https://app.any.run/tasks/a3b1bda4-2ced-4a90-82c5-29b0f82151db
Verdict: Malicious activity
Analysis date: December 05, 2023, 01:15:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

47089A706EF8E29EE77CC8B83795ED90

SHA1:

8BD560ADBD322081639E9E8421C4B4D0BA276F8D

SHA256:

FBAAF92F4048FB147754D282C2F9BA4923480AEF9C751C2C8813A7DA44AA9865

SSDEEP:

98304:Xu2m3xWjluefWhO2aE61anv76QJ4zudUio73z4b6IBH3WyiEvEXP4/5ZNhUFUpGd:1D9gKDI8a4S15FYSXwvMXF4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • crack.exe (PID: 2520)
      • Phoenix_Keylogger.exe (PID: 3608)
      • Phoenix Keylogger.exe (PID: 1608)

    • Create files in the Startup directory

      • crack.exe (PID: 2520)

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • Phoenix Keylogger.exe (PID: 1608)

    • Reads Internet Explorer settings

      • Phoenix Keylogger.exe (PID: 1608)
      • Phoenix_Keylogger.exe (PID: 3608)

    • Reads the Internet Settings

      • Phoenix Keylogger.exe (PID: 1608)

  • INFO

    • Manual execution by a user

      • notepad.exe (PID: 1864)
      • Phoenix Keylogger.exe (PID: 1608)
      • Phoenix_Keylogger.exe (PID: 3608)
      • crack.exe (PID: 984)
      • notepad.exe (PID: 3760)

    • Reads the machine GUID from the registry

      • Phoenix Keylogger.exe (PID: 1608)
      • crack.exe (PID: 2520)
      • crack.exe (PID: 984)
      • Phoenix_Keylogger.exe (PID: 3608)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2144)

    • Checks supported languages

      • Phoenix Keylogger.exe (PID: 1608)
      • crack.exe (PID: 2520)
      • Phoenix_Keylogger.exe (PID: 3608)
      • crack.exe (PID: 984)

    • Creates files or folders in the user directory

      • crack.exe (PID: 2520)

    • Checks proxy server information

      • Phoenix Keylogger.exe (PID: 1608)

    • Reads the computer name

      • Phoenix_Keylogger.exe (PID: 3608)
      • crack.exe (PID: 2520)
      • crack.exe (PID: 984)
      • Phoenix Keylogger.exe (PID: 1608)

    • Create files in a temporary directory

      • Phoenix_Keylogger.exe (PID: 3608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2023:09:15 01:50:20
ZipCRC: 0xa1b24adb
ZipCompressedSize: 19
ZipUncompressedSize: 19
ZipFileName: Phoenix Keylogger/Password.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
7
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs notepad.exe no specs phoenix keylogger.exe crack.exe phoenix_keylogger.exe crack.exe notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
984"C:\Users\admin\Desktop\crack.exe" C:\Users\admin\Desktop\crack.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\crack.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1608"C:\Users\admin\Desktop\Phoenix Keylogger.exe" C:\Users\admin\Desktop\Phoenix Keylogger.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\phoenix keylogger.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc_os.dll
1864"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Phoenix Keylogger\Password.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2144"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Phoenix Keylogger.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2520"C:\Users\admin\Desktop\crack.exe" C:\Users\admin\Desktop\crack.exe
Phoenix Keylogger.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\crack.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3608"C:\Users\admin\Desktop\Phoenix_Keylogger.exe" C:\Users\admin\Desktop\Phoenix_Keylogger.exe
explorer.exe
User:
admin
Company:
Phoenix Keylogger
Integrity Level:
HIGH
Description:
Phoenix Keylogger
Exit code:
4294967295
Version:
2.1.0.0
Modules
Images
c:\users\admin\desktop\phoenix_keylogger.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3760"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\key.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
1 641
Read events
1 612
Write events
29
Delete events
0

Modification events

(PID) Process:(2144) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
20
Suspicious files
7
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2144WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2144.42384\Phoenix Keylogger\Phoenix Keylogger.exeexecutable
MD5:B36E6664467C33A83FB27582C3AD7B47
SHA256:0F36B3D2BA6A8F5C88E2C6746AB01728A7124612DDD23094E8F520DD790763E6
1608Phoenix Keylogger.exeC:\Users\admin\Desktop\Phoenix_Keylogger.exeexecutable
MD5:321DE682F6FCB7C88CDD83479A0CEBA1
SHA256:DCEBBEA9617554DB744B97DCE95B5B55154130F1CDE5E155B677D20CFE2D712E
1608Phoenix Keylogger.exeC:\Users\admin\Desktop\dnlib.dllexecutable
MD5:754A721EE1F1869394EC24212BBD7F30
SHA256:A07EAF627F7CE270B0622DAD29BFCD6F8A9BC49701802F4ED2455FFEE7BC7307
1608Phoenix Keylogger.exeC:\Users\admin\Desktop\MetroFramework.Design.dllexecutable
MD5:AB4C3529694FC8D2427434825F71B2B8
SHA256:0A4A96082E25767E4697033649B16C76A652E120757A2CECAB8092AD0D716B65
1608Phoenix Keylogger.exeC:\Users\admin\Desktop\bhatrussia.urlbinary
MD5:96CEC2FF3BC1281C3B541D549538C9FB
SHA256:CD064A6F7AA46315DEA10E6D73BC0416C4954BC8C3FEE19A39A2C88C49F3E8AE
1608Phoenix Keylogger.exeC:\Users\admin\Desktop\MetroFramework.dllexecutable
MD5:34EA7F7D66563F724318E322FF08F4DB
SHA256:C2C12D31B4844E29DE31594FC9632A372A553631DE0A0A04C8AF91668E37CF49
1608Phoenix Keylogger.exeC:\Users\admin\Desktop\MetroFramework.Fonts.dllexecutable
MD5:65EF4B23060128743CEF937A43B82AA3
SHA256:C843869AACA5135C2D47296985F35C71CA8AF4431288D04D481C4E46CC93EE26
1608Phoenix Keylogger.exeC:\Users\admin\Desktop\gbpast - Login.urlbinary
MD5:4A4F5BE9370E206241BB73BFC2367F3C
SHA256:210F2EE620FE51ACDBE59BBA7BB4ACBDE397034818B09156F6F0874B016A5B18
1608Phoenix Keylogger.exeC:\Users\admin\Desktop\IconExtractor.dllexecutable
MD5:36B46C48D2FBCDF839F0BB96BA20B386
SHA256:02707BE9D1E86187D99ED2DC91DF6335D093FBEC1EE4B65B5DC16161615EC2F9
1608Phoenix Keylogger.exeC:\Users\admin\Desktop\PeebCore.dllexecutable
MD5:128A51A403DDD07999E03E3A36D96579
SHA256:90F882851DF247E60CEF36644E63A7927B243FC8F81B5CCB1ECFF8E9564D81F2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Phoenix Keylogger.zip