phemedrone | effd48689ee7728a354cd1520d6193a75eae8dc8b39c954dc3ca132241eb0906

General

Target

Blaster.rar
Size

65.1MB
MD5

df9039f8873c36812398f7f7bcd9edca
SHA1

cb08ca1fbf02c524ed9b425ecc0ff40d327067e6
SHA256

effd48689ee7728a354cd1520d6193a75eae8dc8b39c954dc3ca132241eb0906
SHA512

f57d4ea8367ef28249c8209f931760f98116e4d57c3beaea71c7f5101fdbc448606cf7a23f101942de583aefeff4dc0ca5b33fd95514ba10f0dc288e6aab8c55
SSDEEP

1572864:wLpnCLVxoqtFOjJbt8vuTO885ctzkqXt6BuqDh9Rm7VKMJ2M:wLgPoqHF88+tz+uqNb652M

Score

10^/10

phemedrone spyware stealer

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7198738266:AAHTvaHo7OnTgbVRXdKU7z4g6AfvN3nTrb8/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone

Executes dropped EXE 2 IoCs

pid	Process
1988	Blaster.exe
1948	Blaster.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Blaster.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Blaster.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2076	NOTEPAD.EXE
428	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2040	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2040	7zFM.exe
Token: 35	2040	7zFM.exe
Token: SeSecurityPrivilege	2040	7zFM.exe
Token: SeDebugPrivilege	1988	Blaster.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2040	7zFM.exe
2040	7zFM.exe
2040	7zFM.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 2040	552	cmd.exe	29
PID 552 wrote to memory of 2040	552	cmd.exe	29
PID 552 wrote to memory of 2040	552	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Blaster.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:552
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Blaster.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2040

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Blaster\options.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2076

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Blaster\optionsof.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:428

C:\Users\Admin\Desktop\Blaster\Blaster.exe
"C:\Users\Admin\Desktop\Blaster\Blaster.exe"
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Users\Admin\Desktop\Blaster\Blaster.exe
"C:\Users\Admin\Desktop\Blaster\Blaster.exe"
1⤵
- Executes dropped EXE
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Blaster\Blaster.exe

Filesize
105KB

MD5
4a56224d01da9e9bb95d7532f3451cae

SHA1
438ae2aa5cba25138b700dae1182ee93b5e0264c

SHA256
fb534e9e89aa88bfdb599bcbf37bab89da54fd26ff7ddedc794fc5d05c0fd0c2

SHA512
ffaed8481bf8953187ba02c2d1b094d9b0ec2357d8716f60aa6d77096d7c37b2e82cdeb3634d347b89582e97c5aea0f65ef4bda5140fd35178f064e7c3a406cd

Download Submit
C:\Users\Admin\Desktop\Blaster\options.txt

Filesize
2KB

MD5
7b5b91c9901c1a92803afef932295df9

SHA1
58324704052734566aab52dc7c9b090883161a78

SHA256
73ef4bb7c662a8fb3094bd7255f74873bf15324512af815b55153746edcedf78

SHA512
186525a5e686fd314c1c932c7e497a2332f589eb93c47900dae7316b68a9c76d1600adb17913b3a70d658acf7ca997ec164a8d196adf479c1a74e1267ab6df48

Download Submit
C:\Users\Admin\Desktop\Blaster\optionsof.txt

Filesize
1KB

MD5
eea9375b6dc2181a9401a334c4b1851c

SHA1
2a1c2c8149223f471e763bb7a64c21d3b2660bd4

SHA256
858be3f268e08f9f716d8aaf931d5b3a7581fa2968f45ebae2cc8451b48b2b62

SHA512
56a47556a084f5c3ba36a17d1100c9394e11cafee5680436400dd46b97d7f5907018d0607703ae2eb6c0a4aa6f93184242db20dac7090f58f57772c8ed6b4c83

Download Submit
memory/1988-188-0x0000000001100000-0x0000000001120000-memory.dmp

Filesize
128KB

Download

Resubmissions

Analysis

Sharing