Overview

overview

10

Static

static

10

Jefutyl.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2023 21:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Jefutyl.zip

  • Size

    38KB

  • MD5

    46ad12d7699b3f9a0ce5f70b08324677

  • SHA1

    4b3950b2a378661310472427acaf26272373ed21

  • SHA256

    3fb1c3589b3a7636337ae5284974f79f99e4c015977a4fa1eeeeb42d79590181

  • SHA512

    d455cd28d8365380494f2ed8f59cf99fcd17dba3b94efe558d307b95abf7e232e5b17ad47f1fb068d4e3bec7214fa88e71fbb8203d1728cfe0371c5013d8d5ef

  • SSDEEP

    768:Q6cNV9G4WCsEimmJFLzW/6/RDFC+cPn22xHoMvBhw1gFakQdloivG/ERKjT:ZC1WlFw6/pPUxTw1cakQd6ivbRKjT

Score
10/10
phemedronestealer

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot6421901210:AAErC913wmPS9T_-XJrvOWFdTxw2TkS248A/sendMessage?chat_id=5896425070

Signatures

  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Jefutyl.zip
    1⤵
      PID:4756
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4356
      • C:\Users\Admin\Desktop\Jefutyl.exe
        "C:\Users\Admin\Desktop\Jefutyl.exe"
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:208
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:4240
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /7
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1032
        • C:\Users\Admin\Desktop\Jefutyl.exe
          "C:\Users\Admin\Desktop\Jefutyl.exe"
          1⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4536
        • C:\Windows\system32\wbem\WmiApSrv.exe
          C:\Windows\system32\wbem\WmiApSrv.exe
          1⤵
            PID:1428

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Jefutyl.exe.log
            Filesize

            1KB

            MD5

            e7e9d20a33eb36c35560d47fcbcd083e

            SHA1

            41df6fa9f9e3b543b957105617670aaaceed2aad

            SHA256

            ee8eb47f8eaa8fea61d4561eda2d4fb42b93cd51d24778651dae82f4254a082d

            SHA512

            9f9ab0b3d56e4f13837b6d2b77730d847a816eec4f1e606e82a101b4bea3f2b20f69e1e8eb6e2e80f175e8c26a4ba7b8d078f79029f9bb1500f115188da32d3e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Jefutyl.zip
            Filesize

            38KB

            MD5

            46ad12d7699b3f9a0ce5f70b08324677

            SHA1

            4b3950b2a378661310472427acaf26272373ed21

            SHA256

            3fb1c3589b3a7636337ae5284974f79f99e4c015977a4fa1eeeeb42d79590181

            SHA512

            d455cd28d8365380494f2ed8f59cf99fcd17dba3b94efe558d307b95abf7e232e5b17ad47f1fb068d4e3bec7214fa88e71fbb8203d1728cfe0371c5013d8d5ef

            Download Submit

          • memory/208-1-0x0000000000C80000-0x0000000000C9C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/208-2-0x00007FFFA9330000-0x00007FFFA9DF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/208-3-0x000000001BB60000-0x000000001BB70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/208-4-0x00007FFFA9330000-0x00007FFFA9DF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/208-5-0x000000001BB60000-0x000000001BB70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/208-7-0x00007FFFA9330000-0x00007FFFA9DF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1032-14-0x000001D9FFD40000-0x000001D9FFD41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1032-9-0x000001D9FFD40000-0x000001D9FFD41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1032-10-0x000001D9FFD40000-0x000001D9FFD41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1032-16-0x000001D9FFD40000-0x000001D9FFD41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1032-15-0x000001D9FFD40000-0x000001D9FFD41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1032-17-0x000001D9FFD40000-0x000001D9FFD41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1032-18-0x000001D9FFD40000-0x000001D9FFD41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1032-19-0x000001D9FFD40000-0x000001D9FFD41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1032-20-0x000001D9FFD40000-0x000001D9FFD41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1032-8-0x000001D9FFD40000-0x000001D9FFD41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4536-22-0x00007FFFA9330000-0x00007FFFA9DF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4536-23-0x000000001AFD0000-0x000000001AFE0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4536-24-0x00007FFFA9330000-0x00007FFFA9DF1000-memory.dmp

            Filesize

            10.8MB

            Download