Overview

overview

10

Static

static

1

rar/UnRAR.exe

windows10-1703-x64

3

start.bat

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NursultanNextgen2024.zip

  • Size

    5.2MB

  • Sample

    240606-n666saeg95

  • MD5

    13895118bf969b95d185bc89491ab992

  • SHA1

    69fb78db089439d151d340dfa785ad34dd1c6e65

  • SHA256

    c1246db99e2391de3ab074eee3815e638e8546b626103281948c560002970e6d

  • SHA512

    55a900ab03bb966b19339aa3daa9dc0e5d32a258e0d72547e09c49c2a2ca2dbf44699a67804f2fb638accc268e8f5bc31d0f1fa57ce77441b71f56518c6c34c3

  • SSDEEP

    98304:ZEza36EM1LGCkH1tpnOwIuufdQHrmnEkqiQJa8OPTgkSJ7j0SkdFUYnE0KXo5i1:Zmi6EomtpLINfdZnEkqiBl8ljIdFo0Kh

Score
10/10
phemedronexmrigevasionexecutionminerpersistencespywarestealerupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://drive.usercontent.google.com/u/0/uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7274515778:AAEx4SxiDLjUG8dht4Cac1HVmxqTSwD_yL4/sendDocument

Targets

    • Target

      rar/UnRAR.exe

    • Size

      494KB

    • MD5

      98ccd44353f7bc5bad1bc6ba9ae0cd68

    • SHA1

      76a4e5bf8d298800c886d29f85ee629e7726052d

    • SHA256

      e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b

    • SHA512

      d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

    • SSDEEP

      6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK

    Score
    3/10
    behavioral1

    • Target

      start.bat

    • Size

      100KB

    • MD5

      45ccb4e03696834d0852bb90f65e3629

    • SHA1

      0d67056066728699a323f63510cdadefc9504084

    • SHA256

      7e0903c4f236d2e0e92522ede6284ea24464af4e86c812cce72e897bb2a87754

    • SHA512

      0c30ab9c768d378d29ad4fdc16d3321038dc71040d041deb8604751f950691aef8a2e6c817578db9057ffb0460f3b3b97f44488f884b2fd7b18f0bde9f2d4561

    • SSDEEP

      3072:9AP7YD2E0xfyQZbsRdwNWuiTvEoryDJV9MTtnI3:9A8D2x66sRdwku+T4MTtI3

    Score
    10/10
    phemedronexmrigevasionexecutionminerpersistencespywarestealerupx

    • Phemedrone

      An information and wallet stealer written in C#.

      stealerphemedrone

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Creates new service(s)

      persistenceexecution

    • Drops file in Drivers directory

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral2

MITRE ATT&CK Enterprise v15

Tasks