Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 16:26
Behavioral task
behavioral1
Sample
rust-stealer-public.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
rust-stealer-public.exe
Resource
win10v2004-20240611-en
General
-
Target
rust-stealer-public.exe
-
Size
115KB
-
MD5
9b452c0c703f20d6092be28a257ac391
-
SHA1
b7a96b5b939f14395139a753d1fd427c0a31a876
-
SHA256
0a03e2a72c3dd45f44f88f7686d7d341e76d176baae2480079fa0dc9d5f844ee
-
SHA512
f2a3780cfccb1b7006ebbe00282bacf580ee0e5884711e1eda5c5a571bb7564caa168e891e8fd5b1bad7c2fda596c6adca3b32052752b4d8d6583847f6f6e967
-
SSDEEP
1536:lr9TeZRDy8hZy3RRCGy9B1FKny6dgbe656cxLNfWdng2lKht4:596ZR+jiB1EnHds56CW6e
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7034708090:AAFZQLDfGh63yhaFB1-Ey_Z8NfTyqDfE8ew/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rust-stealer-public.exepid process 4952 rust-stealer-public.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rust-stealer-public.exedescription pid process Token: SeDebugPrivilege 4952 rust-stealer-public.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4952-0-0x00000000006C0000-0x00000000006E4000-memory.dmpFilesize
144KB
-
memory/4952-1-0x00007FF9F7B53000-0x00007FF9F7B55000-memory.dmpFilesize
8KB
-
memory/4952-2-0x00007FF9F7B50000-0x00007FF9F8611000-memory.dmpFilesize
10.8MB
-
memory/4952-4-0x00007FF9F7B50000-0x00007FF9F8611000-memory.dmpFilesize
10.8MB