FULL Origated Crypter FUD
Once Phoenix successfully infects the target machine, it profiles the machine to gather information on the operating system, hardware, running processes, users, and its external IP. Phoenix stores the information in memory and sends it back to the attackers directly, without writing it to disk. Attackers commonly do this to be more stealthy, since it is harder to know what was exfiltrated if it is not written to disk.
FULL origated crypter FUD
"The anti-virus engines bypasses focus on adding and appending known "goodware" strings to binaries in order to bypass static machine learning engines as similarly it was discovered and used by Cylance engine model," Kremez told BleepingComputer in a conversation. "Known goodware strings might include news headlines like widely populated Trump impeachment news stories mixed with the actual and pseudo-real applications that become appended to the malicious binaries by the malware crypter builder engine."
"This TrickBot crypter and related top cybercrime group invest significant resources in making sure they study and understand anti-virus detection model to be ahead of the game," Kremez explained. "By and large, malware crypters and detections remain to be a "cat-and-mouse" game with the TrickBot and other top crimes groups trying to evade anti-virus models and defense and detection trying to catch up."
The script decrypted 380 strings, resolved 107 functions, and 11 DLLs.In addition, the script dumps the addresses and the full decrypted strings to a JSON file.