Autoit Cryptor:
This malware uses an autoit cryptor because of the flexibility of the autoit scripting language. This cryptor is obfuscated and has a feature to evade virtual machine (which is common in sandbox) and process injection.I used python script to simulate the decryption routine of this cryptor (named as HWRZDRXVUHRI). Upon decrypting it, you can see right away how it works, how it checks process for known virtual machine which is common in some sandbox system, obfuscated script and loading the actual malware that are located in resource section by building some shellcode to load it.
 |
| figure 1 - Checking Virtual Machine Process |
 |
| figure 2 - theencrypted phoenix keylogger in .rsrc section |
PHOENIX KEYLOGGER:
The actual keylogger is compiled with .NET and confuser obfuscator. Upon de-obfuscating it using de4dot the following are the noteworthy behavior of this malware:Hooking Keyboard Event (KeyLogging):
It does the keylogging by hooking the Keyboard Event Key_Press_Down and Key_Press_Up and log it to send to its C&C server through SMTP protocol. |
| figure 3 - Keylogging function |
 |
| figure 4 - hooking Keyboard Event using SetWindowsHookExA Api. |
Screenshot:
It also has a feature of doing a screenshot to the infected machine save it as a bitmap file then send it to its C&C server as a smtp file attachment. |
| figure 5 - the screenshot features of this malware |
Parsing Browser Credential:
It also capable of parsing several browser credentials that has no master password on it since most of the browser now are using database like sqlite to save all the browsing history ,cookies and credentials of the user.Targeted Browser:
- \360Browser\Browser\User Data\Default\Login Data
- \Tencent\QQBrowser\User Data\Default\EncryptedStorage
- \CocCoc\Browser\User Data\Default\Login Data
- \Vivaldi\User Data\Default\login data
- \BraveSoftware\Brave-Browser\User Data\Default\login data
- \Blisk\User Data\Default\Login Data
- \AVAST Software\Browser\User Data\Default\Login Data
- \Chromium\User Data\Default\Login Data
- \Torch\User Data\Default\Login Data
- \Orbitum\User Data\Default\Login Data
- \UCBrowser\User Data_i18n\Default\UC Login Data.18
- \Slimjet\User Data\Default\Login Data
- \Comodo\Dragon\User Data\Default\Login Data
- \Epic Privacy Browser\User Data\Default\Login Data
- \Google\Chrome\User Data\default\Login Data
- \Opera\ Software\Opera Stable\ wand.dat
- \Mozilla\Firefox\Profiles
- \Mozilla\SeaMonkey\Profiles
 |
| figure 6 - parsing browser credential |
Parsing Outlook Signature:
It also parse some Outlook signature through registry that may use for more phishing attack.- - Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
- - Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
- - Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
- - Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
SMTP C&C server and Telegrambot:
This malware use an smtp C&C server to send its exfiltrated data. it is bhavnatutor[.]com:587. it laso get the external ip address of the machine by access third party website ifconfig[.]me/ip.The SMTP information is encrypted with base64 + AES encryption. Below is the encrypted string info. of its SMTP protocol and the decrypted version. It also include some information of the machine as a part of the body of the SMTP message.The Subject of the SMTP message is depends on the data it tries to send (screenshots, browser PWD, logs)
 |
| figure 7 - smtp C7C server and its info (subject is depends on the data it send) |
It can also use telegram to send all the information parse within the infected machine like, Document, Message, Photo and etc.
 |
| figure 8 -telegram bot |
Notes:
So many malware now are using autoit script as cryptor or injector to evade detection and hide the actual malware from incident responder. we also learn from here that this keylogger has so many capability to spy on the infected machine and use different platform for its exfiltrated data.IOC:
Files: packed malware: https://app.any.run/tasks/99d3b9a4-1b0a-4e4b-b5af-abcde517e4e5/md5: 08d4206063429e7569d55c7f33eb3df1
sha1: 288a57aa7045333242f31c869b9fda624ae02b9b
sha256: df2c30b42d5139620b97b5fd86f009568ecad116fbe76848171366e9633bffeb
C&C server:
Bhavnatutor[.]com:587masseystephen8@gmail[.]com
testing@bhavnatutor[.]com
http://ifconfig[.]me/ip
113452:https://api.telegram.org/bot
113510:/sendMessage?chat_id=
Information it parse:
109546:+------------- Client INFO -------------+109632:IP:
109648:HWID:
109662:Owner Name:
109688:Full OS Name:
109718:OS Platform:
109746:OS Version:
109772:System Boot Mode:
109810:Physical Memory:
109846: GB
109856: Available Of
109886:Virtual Memory:
109920:Date:
109934:-----------------------------------------
SMTP message Subject & others:
112022:|------- Phoenix Keylogger - Screenshot -------|112244:|------- Phoenix Keylogger - Clipboard -------|
112600:|------- Phoenix Keylogger - Logs -------|
112700:\Debug2.txt
112724:PX | Logs | Client Name:
112776:PXLogs
112790:5/22/2019
112810:/C choice /C Y /N /D Y /T 3 & Del "
113214:|------- Phoenix Keylogger - Passwords -------|
113314:Passwords
113334:\Debug.txt
113356:PX | PSWD | Client Name:
outlook registry:
118083:Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676118262:Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
118509:Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
118688:Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
