phemedrone | 685231e2f096d41dd68be99374efd124a4c4ff316725dcddaab560dd928d0aea | Triage

Sharing

General

Target

319218e4eb0d6637a76668a228e32de3.bin
Size

61KB
Sample

240620-bqp64s1bqb
MD5

18f35a3dc7970115df43487a25dbd199
SHA1

fa29656e68299f297ddd8034499c3a2745b24864
SHA256

685231e2f096d41dd68be99374efd124a4c4ff316725dcddaab560dd928d0aea
SHA512

844db9256bc48de8c98a1e74dee7d2a27e19b525c9362e29e0190f7a4467ff9bfd35a38bf4b32bbac924b15fd26bf37c3daa59958cef0746e758767466871a81
SSDEEP

1536:jN6DHkt0XGxF3S6okzmLIKx5HhnpN1IzPMAHqMZRzCZQV9Ujcu:M0MIoZTzhpNDgq5ZQFu

Score

10^/10

phemedrone execution persistence spyware stealer

Malware Config

Targets

- Target
  
  3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
- Size
  
  144KB
- MD5
  
  319218e4eb0d6637a76668a228e32de3
- SHA1
  
  20523303d722a7747deb6154a5d4401e1b932d56
- SHA256
  
  3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358
- SHA512
  
  db3d1637c178bdf3c8c5b754fe72c388a3da176b2d0a7727e89f2c257bcb93b1574eda1de7f6ea25e493949f47157c07637fbe1169fe6c9481cc42d925293fe6
- SSDEEP
  
  3072:HGNhvhNC38S7gzQ/cmD4ULz82nyLOLt/w/HOWJbG5vcX+skwEKEAm31D5:EzQ/2my2w/uWJbGFsREKQ1
Score

10^/10

phemedrone execution persistence spyware stealer
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

phemedroneexecutionpersistencespywarestealer

behavioral2

phemedroneexecutionpersistencespywarestealer