phemedrone | c1574420313dd65222a683b43ebaee401c309ffab12ed72cdbf74e281e46b73e | Triage

Sharing

General

Target

c1574420313dd65222a683b43ebaee401c309ffab12ed72cdbf74e281e46b73e
Size

125KB
Sample

240406-n9c24sae75
MD5

1a070e009e5ac552cb105b613195692b
SHA1

99681a92500191dd4de7b8887262a07ef6a9bbfa
SHA256

c1574420313dd65222a683b43ebaee401c309ffab12ed72cdbf74e281e46b73e
SHA512

28ccb1ec1e120e598eb941a344d50ead8ad2322bed4fdc493224f152baee692d296b731823a63bf798e18cbf950383cf64da83c56de5357e4d76d57e50f4fb7e
SSDEEP

3072:erYcMLG/6NH4+ZCgZUbH5x6vfkwEK1ARXD+kK:MCHZCgZUbLQREKSS9

Score

10^/10

phemedrone persistence spyware stealer

Malware Config

Extracted

Family

phemedrone

C2

94.156.71.237

Targets

- Target
  
  c1574420313dd65222a683b43ebaee401c309ffab12ed72cdbf74e281e46b73e
- Size
  
  125KB
- MD5
  
  1a070e009e5ac552cb105b613195692b
- SHA1
  
  99681a92500191dd4de7b8887262a07ef6a9bbfa
- SHA256
  
  c1574420313dd65222a683b43ebaee401c309ffab12ed72cdbf74e281e46b73e
- SHA512
  
  28ccb1ec1e120e598eb941a344d50ead8ad2322bed4fdc493224f152baee692d296b731823a63bf798e18cbf950383cf64da83c56de5357e4d76d57e50f4fb7e
- SSDEEP
  
  3072:erYcMLG/6NH4+ZCgZUbH5x6vfkwEK1ARXD+kK:MCHZCgZUbLQREKSS9
Score

10^/10

phemedrone persistence spyware stealer
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

phemedronepersistencespywarestealer

behavioral2

phemedronepersistencespywarestealer