phemedrone | c4cdb1f07262532c5ad6c2b11a0647a8c08aff180ca75e40f9b12ce7c6c2b3cb | Triage

Sharing

General

Target

allparse_log.zip
Size

10.4MB
Sample

231201-fthnnafc5y
MD5

4153aa5a068287a0390d173af50aacf8
SHA1

adc40aed74d98c3656d22b98b2b090baed28f018
SHA256

c4cdb1f07262532c5ad6c2b11a0647a8c08aff180ca75e40f9b12ce7c6c2b3cb
SHA512

e3e230b706d6a3e246eb46880f13e29bb0a7ccae9bd4f015783e8f067a9b585ca491f871d7eb71a7dc59193c543756980d3c951cc4cd6a14c2d658286c00e861
SSDEEP

196608:f7yBkC8LMj96BaSNTl13sae279UVWefyEL4RIvrvN+MUngf5NXCkvIUyNVDvbIm:f2ULimTdMWuNL6IvSI5pC4PyNr

Score

10^/10

phemedrone spyware stealer

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot6546988438:AAF4CYLITzgov4BI5_0csUsC5C49FDi5D6Y/sendMessage?chat_id=554005447

Targets

- Target
  
  AllParse_Log/allparse_logs.exe
- Size
  
  29.3MB
- MD5
  
  bd3b4c0a02882e590abea24128f5891e
- SHA1
  
  ccd4a73e6e4bb81d8ebd606948ed33762185b71b
- SHA256
  
  c0328ab964eca37b4ee30b09c9471880ae983a9624d7f464322a11cb66790831
- SHA512
  
  cae48f6ab19abe6eb20582857787d84f992e4177a13ac59eff435e9e6bfd37edbd10dbcae5e028cc0257603e667be751829ff023e4b4357f2ab68541b1aa8829
- SSDEEP
  
  393216:Xf2KVJ31I9jSHDGhAriW1CPwDv3uFhtU2lvzSFrjZtFodPVa79:v2KVPI9j3WZf
Score

10^/10

phemedrone stealer
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1
- Target
  
  AllParse_Log/codec-library.exe
- Size
  
  84KB
- MD5
  
  889a77ec865cef4310258ba20e980302
- SHA1
  
  554cec7ecef4d6f12ab787fa4673fc9aab24051d
- SHA256
  
  eebdeac6e6bca0a720c047291a85dbb4e0c17f18af0e20b8a0c645360ae66626
- SHA512
  
  1bf5b559c6091eac1b1f616f28ed2159fb32af57de6a965d659d1df235442a0bf578cb1ab3e6af95acb966f0197a5305608d3c1ba6c049a2f20f3805a8989c40
- SSDEEP
  
  1536:4cZc9o6ieQnPou2PGTeR7CfoWKSO5T3rZfvSwEKSKt9jzpmO:4ci9MnPo3PHtmpS5TbZfawEKSKt9jVb
Score

10^/10

phemedrone spyware stealer
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

phemedronestealer

behavioral2

phemedronespywarestealer