phemedrone

Resubmissions

04-03-2024 05:33

240304-f84jnsca52 10

04-03-2024 04:18

240304-exd9zahe9z 10

Sharing

Copy URL

Twitter E-mail

General

Target

db30c4e68692e4f54315332311162e76.bin
Size

67.1MB
Sample

240304-f84jnsca52
MD5

db30c4e68692e4f54315332311162e76
SHA1

4af95bdba555279f3a9a91d60d3645167cab1ba4
SHA256

de08c69d06b2f176058aa6001b9f9195ef9599f1f79b783e21762046258583d3
SHA512

524b697b466ba99345a27d316386c3ad9871b248ba61df35b90673a74089e61b0a81b161f225e0695f11182574b3a9a5d0c8fa21146d4d6f1583f7400f042b38
SSDEEP

1572864:Jw+8QG00TenpkLLb6XGnKhycHVFh4paYOYKXz4W+hMq4JpMseF5m:WM0TeS/b62RcHRpCDxFc

Score

10^/10

Malware Config

Targets

- Target
  
  dcrat/123.bat
- Size
  
  66B
- MD5
  
  572472c7cc450eedfcd8061e7f64eb96
- SHA1
  
  6d315e5521592f668dc2899eaa83f2ac9cbe99c4
- SHA256
  
  b449f5170c97f7328ce8ff6f2d741c489de4fc9640dcd1a4781349c60f25d934
- SHA512
  
  f89b64c7300aa52b1bba95f1a45fb1dcc1ef13ed81bb0e671159120f909bba94a9762de9c78056f1f535e2797efffa689e6e10b73ca3a0997b307361619883b6
Score

10^/10

phemedrone spyware stealer microsoft discovery phishing
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  dcrat/DCRat.exe
- Size
  
  15.7MB
- MD5
  
  f0c212a5f3cb30f35c1022ca2e172310
- SHA1
  
  89314ac31d667f81f603b3dab508dda12febb126
- SHA256
  
  6a465d867459eb8b26608afa566973ad424afb0b12d3e266706e8c42da3c6908
- SHA512
  
  15b562bae7c8977366f46ea71c1bf72d99da77904561e99a10bbc6ad88b3b8bd1e811712ca69410b98f9e492ffe4205bc4782a22304a6f0d73cd2d90a334c90f
- SSDEEP
  
  393216:q/HI7rq9dB4FTqNEkS2DZVBcZn0uDLpBjp2NkM5:qwCrBJlSCcZ0iNGz5
Score

10^/10

phemedrone spyware stealer xmrig microsoft discovery miner phishing
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  dcrat/data/7zxa.dll
- Size
  
  155KB
- MD5
  
  786d4c74c05832a652be5c0a559be1e6
- SHA1
  
  56bc5cf0bef56565da871af9e10ac8c2302d2ad7
- SHA256
  
  d0680ac62e94f953df031533acd0acb718ad8494f938d84198c655507709e5df
- SHA512
  
  29cf07d3acceb716a2e9ec66434170ba7f15c5af3c843253d72be6f7bf1ab942a6e098a423beb33efb9fbf8bb6c967c34d4dedf65aca72984c6aa70c58e0eeb4
- SSDEEP
  
  3072:QwBYN3i204AHpzTjaLd4+OTpLcl28hpQplf4btKL6mCF:E3cp3jaLupLc3fclAKmJ
Score

3^/10
behavioral5 behavioral6
- Target
  
  dcrat/data/DCRAC.exe
- Size
  
  26KB
- MD5
  
  8a1a98367fd8cb7aa977403f88152e60
- SHA1
  
  cb56f3348ef9b2bb6f38f3ef2b5522e64222b707
- SHA256
  
  730fdccacba82f334638c13a284ae2e8462e10382bf55d2a0d35f25b805bdc02
- SHA512
  
  a18dd788496c9d34c538cf547cf1bd3aeffd6c452d615a186c05222043b7bde5a03360cc33c9005951ff4bd076b4fecabeaf418b59d3623d604ff7b308d09e83
- SSDEEP
  
  768:DZIex9MGyfCCk5L+VUI5SNcGN0KttZZA9BCfNGJkvmNzJhCY2misDfb4oCij:tIegGy6CA+VT
Score

1^/10
behavioral7 behavioral8
- Target
  
  dcrat/data/DCRCC.exe
- Size
  
  24KB
- MD5
  
  7369469d49c34493f1b8a06fc89d9c7f
- SHA1
  
  956b5e6933b6c8141fe6aa16d97b15fc0e985e95
- SHA256
  
  8f5b38fdde20187e5ab965e60c024b98def9d565ea23f596da4fe13d12e5f5b8
- SHA512
  
  1777cc2a5e11115d71b92c5790be558838aed0173a3d7ff288db44674a0b3151026515d74518a960c2467d9be549cd47567123b59330d7684a9b2919b707a1a3
- SSDEEP
  
  384:QVkGGnEOjdf9FZiJSi6gi8Yd6aHmcL/QKN+eglriL5nOIj3vFy:tFdf9CJ+F8IG1KGleNB5y
Score

3^/10
behavioral10 behavioral9
- Target
  
  dcrat/data/Default.SFX
- Size
  
  309KB
- MD5
  
  89bf0f7e9adf290c6d571eccf79206a9
- SHA1
  
  65f95791234ff93bc3e35f1d35d7a6664872dc56
- SHA256
  
  b11ad1adfa96eacf5f18cf87785884947a6d35a1baebf4f20f16402b04d5109f
- SHA512
  
  cfa060f8aa79529fe8a4809ed5faec499fd15bcd4fb4a536759890e536ded2ca26e593b1f8b04d94e998b063a9a9b8b6bb53166976a5cd018913819959dbc7d5
- SSDEEP
  
  6144:ajT5Zh17eWxoG/+ov/2OIQ4wW3OBsCeAW32X+t4Rb:aRZ+IoG/n9IQxW3OBsee2X+t4Rb
Score

1^/10
behavioral11 behavioral12
- Target
  
  dcrat/data/NCC2.dll
- Size
  
  13KB
- MD5
  
  12e7983a050a5f7f7b501d3cda914248
- SHA1
  
  6ce5d9b763fc05dcdfcaea79a62a8352371d749c
- SHA256
  
  a0b6bb521e52a99abf5ac1017302da014d37296619078d42d9edf5d86d137f63
- SHA512
  
  0b8788c858c35e0f8f56d552518adb71c847240f6d7c199243e046c4c2e2ae32cb035a0bc5098631656c5d7d772be4fdfdc6a4e19e00092fb3eb09044998be97
- SSDEEP
  
  192:jKsAWXvf+AxcTC6xFrnT5xoqMSqzqqJocD/HCtVWAc3XTEqx2CvAPhz:9Z/f+XT/xBwqMSqeqqcmUDhKhz
Score

1^/10
behavioral13 behavioral14
- Target
  
  dcrat/data/NCC3.dll
- Size
  
  72KB
- MD5
  
  aa84f91edd922e7b3bb979e663c94f1a
- SHA1
  
  da46b9962a6c6cceef38c3e11b8b5bc9c1b536fa
- SHA256
  
  38274608d5a4b53ec22f8099f798ba46ce0ed41db65a33dfb3853f0dbf849f6f
- SHA512
  
  88392fc77a0300ece306908867be38011530d9eefdf003452ba86d82f2fa4a61c2b27a199f376ac307c095beaa4f52cefcab59c8b28fa187c0bca13f55f2d98b
- SSDEEP
  
  1536:a44UF/3qab79HtYDAD5MPEBq9iNv6qfSOBHfVW:a44G3fRMPiuuv6qqOBHfVW
Score

3^/10
behavioral15 behavioral16
- Target
  
  dcrat/data/NCCheck.dll
- Size
  
  162KB
- MD5
  
  569052631a6b80c1c6a336c10c978b02
- SHA1
  
  4bc411b19536c90a6ea0917d7d93f3f6560ee6f0
- SHA256
  
  c41cd461470ff3c936e225cea37e5190cb06e3cd70a3d76ca8e5d3aceead5493
- SHA512
  
  d0e251973a0c6b3fecaa41d9042c7001e4e9e20484fe2ed9ed1ce04a416952054cb010bff6643c0fa093ac60bbe079c11ba0d6f9699224a3db7a56fdbc4f7f69
- SSDEEP
  
  3072:iW3Hj+g/SFOANotkow8WZT75Izm04x7RP+iH3D1VIkB5XFu9H:v36gp5tk5Nx1P+iH3D1VIk6
Score

1^/10
behavioral17 behavioral18
- Target
  
  dcrat/data/Rar.exe
- Size
  
  578KB
- MD5
  
  eb24024a8a46c71303e0b18d0e1859f6
- SHA1
  
  e0ee47fcd63beb2168da119f061d03b0bd6872ea
- SHA256
  
  770d7b5e40ed9b0aff5d0e3fc2ccf9ba10d4925d3441f38b71a35bd26e6e8d98
- SHA512
  
  292e3090338ee3443acd8c2bde59506f3f89d62bf8ff0d95067a812a22b17c98fc2aa9439d3dfa16dcfe338070d7b5af3acefb696a267435bf5b19dceef83a2c
- SSDEEP
  
  12288:wS6ZrwO87OYWi14874mT77CkIf3kBmiXtRI/+7bHuVV7:wSOrwO87OM14nmT77Ck28mijQ+bHit
Score

3^/10
behavioral19 behavioral20
- Target
  
  dcrat/data/RarExt.dll
- Size
  
  481KB
- MD5
  
  e3e09ba1cca853535cad6900133d819e
- SHA1
  
  99865c784613ca201ba8c10d482c9b8c226ce8eb
- SHA256
  
  35a21f1aebf8ea0ab9be1814131fec1fa079d91b701e505054b69eccbdfd0732
- SHA512
  
  2fc9978796a68cbee3cac7a3fee1f7415cacfa20ff7515e98fb04006a4b20f4002df327473b33c66ca28cf5d2d2bb9d2a25766487deb68916341ceca10663a3a
- SSDEEP
  
  6144:qukXSvypOmqIdSGHp+A6NeT5P0XMdHFuodDacXqEk8tZ1mqrt5nJKGgBdUhcX7ee:lkiIdFHpwOF0cdln42qEk4j+Bd3X3um
Score

3^/10
behavioral21 behavioral22
- Target
  
  dcrat/data/RarExt64.dll
- Size
  
  554KB
- MD5
  
  76a5f50d92f543e566b0152e0be1cf9e
- SHA1
  
  61db9bb0ffd049cad2bc747f69dff0dc3fc17a28
- SHA256
  
  db28575f61b1adc88a28ae51ce3b00226e4974ca60894896e414ea408c6ff9fe
- SHA512
  
  c76a09c6cfb9b067eb41afddd1b9bbb111438502f71d6836cbb194ceec865d7478c7f14254684b52d98685232de04f2e1ef35a55946b5993968c81f2e9d050ae
- SSDEEP
  
  6144:O2uqTDJ8HTNZ//j3kOhpJcojM1Rz8ot2ybeBwQA7EE9fNaLTxcRRD7cICzdKGgBz:O2ue8HBpJ3M1cybpQcNYLGuqBd3X3uAZ
Score

3^/10
behavioral23 behavioral24
- Target
  
  dcrat/data/WinCon.SFX
- Size
  
  275KB
- MD5
  
  30e207b91721e27d2d30c3f627552a95
- SHA1
  
  2fa6368e3d61bdf695e2c878279ad208756a9462
- SHA256
  
  ca08ed8423afda4b41757a1f3adf4f855732dc0628fe2ea5d8a96b13f56b9f84
- SHA512
  
  fa24eeead49a824952c2973828bbf9662c0f6eb01d9655c03db46454516e50681d3a10df76b3d3963e5672d2383db336db7caea9197f21ac5872acbb8f6a2404
- SSDEEP
  
  6144:XaBQtMvy7RHKVxMANkIltkaocp+U/ZrbHUO:XntMOKVxMMkIli1cpdpbHn
Score

1^/10
behavioral25 behavioral26
- Target
  
  dcrat/data/Zip.SFX
- Size
  
  263KB
- MD5
  
  9a2ea4da5eec75298f16ba444d3a98d6
- SHA1
  
  f4f790430556e36d418498cd2f3112d04dabf877
- SHA256
  
  2293fe261d5c6f5f2a33004b11f068037677b7aa5a6f792031e31555f31f0d69
- SHA512
  
  69c86181722d2416c1836c9d24df268ba04704898643d2e741d76d1f1493cd140013c95d8e00ce7a95a280cdd5869769a0fffa2fb0c8dc41bb4c8d8fd69f58f4
- SSDEEP
  
  3072:sv/MtM8A6OOodzRMOSgNs2Dsx7Cwbj59HvhaxO6M65ysytvg6VNf0ETA8B9kxpjK:sstlOOo8x7n59Z+zyu65QxpX+t4sP
Score

1^/10
behavioral27 behavioral28
- Target
  
  dcrat/data/dnlib.dll
- Size
  
  1.1MB
- MD5
  
  de0069c4097c987bd30ebe8155a8af35
- SHA1
  
  aced007f4d852d7b84c689a92d9c36e24381d375
- SHA256
  
  83445595d38a8e33513b33dfc201983af4746e5327c9bed470a6282d91d539b6
- SHA512
  
  66c45818e5c555e5250f8250ea704bc4ca32ddb4d5824c852ae5dc0f264b009af73c7c1e0db1b74c14ee6b612608d939386da23b56520cac415cd5a8f60a5502
- SSDEEP
  
  24576:m+pL+hwfQvqx+yLjynb1YNzh/CNX7fegPeH3hid3Hc9ZEu5DkU6FPepU1VWv7fo0:sxvCLUJ
Score

1^/10
behavioral29 behavioral30
- Target
  
  dcrat/data/dotNET_Reactor.Console.exe
- Size
  
  14KB
- MD5
  
  0b4dbf61a98f3e34cdd3a1b08a6a4609
- SHA1
  
  73587f1f5d040541b230513d22d696513dbd4cf9
- SHA256
  
  e817802f166662a7df0b144571354d74b10e34d120f91ae9d84ca3ba925241c6
- SHA512
  
  7cca370890e4e245c84507623531b5f54b76ced3e8c6b87cdfc47ed16560b6a0a5cf9e0556075cd0d9266908e445b854114edd69d50870839624589676c0e688
- SSDEEP
  
  192:8jY53csvsqHwrHEdSAejbMfDn1Gp78dsKGXOdlWW1ksTkwy:8jEnskskQlm1GRJKGXOdlWW1XTR
Score

10^/10

zgrat rat
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Loads dropped DLL
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Targets

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Looks up external IP address via web service

AutoIT Executable

Detected potential entity reuse from brand microsoft.

Drops file in System32 directory

Suspicious use of SetThreadContext

Phemedrone

xmrig

XMRig Miner payload

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Looks up external IP address via web service

AutoIT Executable

Detected potential entity reuse from brand microsoft.

Drops file in System32 directory

Suspicious use of SetThreadContext

Detect ZGRat V1

ZGRat

Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32