Resubmissions

31-03-2024 11:53

240331-n2tpwsah8z 10

31-03-2024 11:44

240331-nv79psag6v 10

General

  • Target

    AutoBuy.exe

  • Size

    2.8MB

  • Sample

    240331-nv79psag6v

  • MD5

    ec3328cb44fb4e760b5cdef7bbbcd6f6

  • SHA1

    d93d74a1200418ec041d4206513d511da870eaec

  • SHA256

    ceb1bbd8e4e6d29926c8011524897693a3240a4bda727d309987a6541cd98907

  • SHA512

    e33563185221acfaf7352a37555f8b1c4f73a962f4ae96e1dee52e8f034bc416fee22dff8bba698b596576470c0572abcf5e2dea1929f6151aac05678e78ca01

  • SSDEEP

    49152:JxppTslWVwj1GowiT4QRW5CX42rZSkvFksV4qBNmP+X:JxpHVwIozyg3jvbVHBNI

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot6719312271:AAE1QFaFTcG0HSHiQXVv7gdDUMwSNOPMadg/sendMessage?chat_id=-4194654645

Targets

    • Target

      AutoBuy.exe

    • Size

      2.8MB

    • MD5

      ec3328cb44fb4e760b5cdef7bbbcd6f6

    • SHA1

      d93d74a1200418ec041d4206513d511da870eaec

    • SHA256

      ceb1bbd8e4e6d29926c8011524897693a3240a4bda727d309987a6541cd98907

    • SHA512

      e33563185221acfaf7352a37555f8b1c4f73a962f4ae96e1dee52e8f034bc416fee22dff8bba698b596576470c0572abcf5e2dea1929f6151aac05678e78ca01

    • SSDEEP

      49152:JxppTslWVwj1GowiT4QRW5CX42rZSkvFksV4qBNmP+X:JxpHVwIozyg3jvbVHBNI

    • Phemedrone

      An information and wallet stealer written in C#.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks