phemedrone

Sharing

Copy URL

Twitter E-mail

General

Target

Nursultan_FREE_2024.zip
Size

181.9MB
Sample

240623-p9dt3s1ejh
MD5

7d2b9b9d96904a1f8e1f697d1fd89011
SHA1

94478e88b5ea244bfb51dfe6152d70d75d24b315
SHA256

bab8b5e74ab7210b030316dd5685f3fdcceac35bd3b3a90e5dd01592f8abb630
SHA512

c365dd69778196b9e3ee300d0aa1ee25b969d77406947454e11f6270d8464d5c7b87bef7b959fbbb72a3a4335b05c9d8d18a0a25820793e0d8dcf5b701b86999
SSDEEP

3145728:t+w3E+1VwaW7Fio95ER6bpdVhje9dhZMKHhh+jV3n5iyWKcLMlESZ8iX/0x:P0+HwaWOR63VhjePhZlT+pnPWKqMlNZK

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://drive.usercontent.google.com/u/0/uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download

Extracted

Family

phemedrone

https://api.telegram.org/bot7274515778:AAEx4SxiDLjUG8dht4Cac1HVmxqTSwD_yL4/sendDocument

Targets

- Target
  
  Nursultan_FREE_2024.zip
- Size
  
  181.9MB
- MD5
  
  7d2b9b9d96904a1f8e1f697d1fd89011
- SHA1
  
  94478e88b5ea244bfb51dfe6152d70d75d24b315
- SHA256
  
  bab8b5e74ab7210b030316dd5685f3fdcceac35bd3b3a90e5dd01592f8abb630
- SHA512
  
  c365dd69778196b9e3ee300d0aa1ee25b969d77406947454e11f6270d8464d5c7b87bef7b959fbbb72a3a4335b05c9d8d18a0a25820793e0d8dcf5b701b86999
- SSDEEP
  
  3145728:t+w3E+1VwaW7Fio95ER6bpdVhje9dhZMKHhh+jV3n5iyWKcLMlESZ8iX/0x:P0+HwaWOR63VhjePhZlT+pnPWKqMlNZK
Score

1^/10
behavioral1
- Target
  
  NursultanNextgen2024/OpenAL.dll
- Size
  
  1.3MB
- MD5
  
  0f163156630cb64fbf0d0e35d73f1ea6
- SHA1
  
  3e61ac1236af119a550df18a403b2c65b5483dd3
- SHA256
  
  29bf4a0be8d6fa2c8e6f17cf37a2f94b61209bdc446052b239a2d8b44c624c78
- SHA512
  
  8e2524a10739caa77d2bfbdfad7228f23ecec681a3a248b6b06faa62647f67593f67c626e9fb7daae95bee2123536e56dab906a8ae84713e64723ebd01606c11
- SSDEEP
  
  12288:3hzRge0QCL6O63uwOEu4DV0cQdc8IH8tXqrQEC7CnkwGhHN8UOTe2M4bVatOdm17:HgySf63uXEDacfwt8hHqiDR30/s6S2
Score

1^/10
behavioral2
- Target
  
  NursultanNextgen2024/SAPIWrapper_x64.dll
- Size
  
  42KB
- MD5
  
  97ed307c26244e7e845a8e888099eb6f
- SHA1
  
  03c2989f7f633b56417c7831f53aeeb20065f61b
- SHA256
  
  43ca444fb76e71bbbb34b85b8ee6bda6f1cb5c9c29747d480b9dc3dc79435999
- SHA512
  
  155c460544b281c176dc75c497f96f168514b5fae746b9b946c96096558cfe00cd5bbf4eb7132bd5b9ce9836a3bba54d1d8299094ca68b8b42ca7fd5cee4801b
- SSDEEP
  
  768:aGucPfgSPYXYqo3/nDn6lllVsuScmgVJqGPMgBHHH:aG1XgSAXm3PHuScmgCGHpH
Score

1^/10
behavioral3
- Target
  
  NursultanNextgen2024/assets.rar
- Size
  
  4.9MB
- MD5
  
  18e6e3b39e78a2cdc999a10503ee6c3d
- SHA1
  
  2dcb7265e54a33cc1bbd6b08914712120e7e0723
- SHA256
  
  888dabbf512949d7e0d2c5ad7143b02cdabc16d314f7a3ef2db0eb88843caadb
- SHA512
  
  38049928c7935e00a03f85054b4887d641d087cd43264680573399b0f658b057b07ad3c3f48a7361ad8ff2abeb0694cb03b97fcfe9cb0cbcf257f097940ed230
- SSDEEP
  
  12288:XpaCOXfw0Nf5xF1XzotVVr6RaRaYaOa3aZamaFa4aLnBuNkQib:52fw03xFR02S7H68Hwl2j
Score

3^/10
behavioral4
- Target
  
  04/04933f2f39e339e7ba0db0c21812cb9ff9bdce8c
- Size
  
  8KB
- MD5
  
  dca1ebd29db74d29642b5e377542c901
- SHA1
  
  04933f2f39e339e7ba0db0c21812cb9ff9bdce8c
- SHA256
  
  1e8d26c5917fe410d9b4a7ef6fedff0a28bd8eca7f8ededc9aaec33703c551d3
- SHA512
  
  2dc8dbd5aba9dd92efdbdc9d14e3dbe2de453be5c2809ab1c3310189599cbb627973ae6af3ddf744f082f02ae5c2ad08021f6ca61eeaddb6dacf6c1b61f77309
- SSDEEP
  
  192:m+DJomrimXOct5g6kHpYlIl7RUSBGyZFC/B5OAn3Eu:3imzp26mpYlIjQAC/LO03Eu
Score

1^/10
behavioral5
- Target
  
  04/049a3049a5ac8631a6c5f367b7d824fc0d8de39b
- Size
  
  25KB
- MD5
  
  fc84743245bde7c52879a49f4f7e6d3e
- SHA1
  
  049a3049a5ac8631a6c5f367b7d824fc0d8de39b
- SHA256
  
  d36f423c43d3a476f3eea476fb9c15731b3630629a31cf1ceb7b6c138be4d7bc
- SHA512
  
  215202ad98b4cde68c854cee6be2fef45936c53572b2fc5447bf227385d2e51b88babbf80b062955f9daba57b8471d5b9ac5d77517a4189bee4576bf14c3a760
- SSDEEP
  
  384:kimzp26ZVOrjp1jAR0+qNJvCLd8SaWYPieJLQ1raJbcUNYvrsOTMGdIL/hrJN:K16phAR05s3vYPPLQ1+lcUmjsWMVPN
Score

1^/10
behavioral6
- Target
  
  04/04c43a7a9b7883538080f84bf5b4bcba0c8b9f8a
- Size
  
  139KB
- MD5
  
  384d50a8194d0ab12c6755f4aa7ad039
- SHA1
  
  04c43a7a9b7883538080f84bf5b4bcba0c8b9f8a
- SHA256
  
  a92241ecdb89fbeea76baf6512dd72226e89f05f16f91954c97c081be1aa5e42
- SHA512
  
  b7cf47dd6c09d003717faa7c298b3baddd8b5e7f9c88a7abb68cb14659dec40cec8d3116fca4283ea57322e9c2a83b46d5b6d3edb89dc54ee75307d3a58e7777
- SSDEEP
  
  3072:pZedAlwpr4rOv2G/az0PI2TgjrmFwYU6c6sCfzb+A9v0:pZWQYWOVaz0PLCKVcAzM
Score

1^/10
behavioral7
- Target
  
  04/04d00bc852751498fad759fe473fef917b51c55d
- Size
  
  28KB
- MD5
  
  84951008d92c88eeb533c35475319f17
- SHA1
  
  04d00bc852751498fad759fe473fef917b51c55d
- SHA256
  
  1fdcd0f8750827da1449aa152e824e01bedb388e3f493a86d114d40c84b41259
- SHA512
  
  51c047ad59c1b0bca64539bf33a04d790c5a40ab4314cccc8fad11d7051a1c7eee24a2a1b4c70b1b882875d2b9033e10709875157f25df2b102575c80251ac8e
- SSDEEP
  
  768:RkVsFajBLH1i9ofQSKCAP/8bPRaFf49I6LMtRaLwKnPIXfDxny2:s09ofjLY/8bZ6f499Mr9sPIrp
Score

1^/10
behavioral8
- Target
  
  04/04d181f5f4d61d2215175a1e63e7caaf9b624ab2
- Size
  
  6KB
- MD5
  
  94a34264c571db080438ee3b19c6e524
- SHA1
  
  04d181f5f4d61d2215175a1e63e7caaf9b624ab2
- SHA256
  
  dc438a2b3290c1e8fcf84ac7845ad3c0855edf995a0ba13d0296fec31666d3c8
- SHA512
  
  d45bd0444f208a18eac991ad4784bcd8712f490f4aae4269afd1e21cd2bfd92d47d9d3c8a943834695f15418dfe5d873fe7ed34531748b92782c943600e0c308
- SSDEEP
  
  96:UY4zOrVko1BJoQSHThf5mfXgFjQq6eno3ObmkP6PebXTfIA3fm6MVKuDMTvKV/+e:x9DJopTxIXg1fnEObzcVYfSVyPidI2T
Score

1^/10
behavioral9
- Target
  
  04/04de7b3f382c41f8bfa36ea205f3ae807457ff7f
- Size
  
  16KB
- MD5
  
  92ea441c41a44827c7990b05f22d5135
- SHA1
  
  04de7b3f382c41f8bfa36ea205f3ae807457ff7f
- SHA256
  
  755ff7317e8c83a15b761e0f0c619277f7531dd9fb42772e41df5106c6d047c9
- SHA512
  
  bbb61e9ceef563434c503e45d99d52240f42d60ad51ca04f36821209783714e0bb90b23e0e4ca564fcce60dc0f5b6824e7e2338959a039f723beeb8a815c579b
- SSDEEP
  
  384:limlNs5sublHZYpcBsOLuzRA9mY1xQrynf5+YuL4aN:5lKHF3uzRcfrM8aN
Score

10^/10

phemedrone xmrig defense_evasion evasion execution miner persistence spyware stealer upx
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Drops file in Drivers directory
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Legitimate hosting services abused for malware hosting/C2
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral10
- Target
  
  04/04f5636909319c54405c20ff932d92397523aa7a
- Size
  
  18KB
- MD5
  
  33f8d061487f27d9ec6adc168ad5d28d
- SHA1
  
  04f5636909319c54405c20ff932d92397523aa7a
- SHA256
  
  041c73d924cb0c7c682193e2dfcdf01a54eb6d85c9b400d29128123d6b141cf2
- SHA512
  
  f29bcc814d7ce8d2d33a2f6588b64ec161ba7af39fd86af21ecaf66ac091f4b76461e35856c1db228c4e7d73fe29833dc076a4b80c6be079329a248602005879
- SSDEEP
  
  384:GYjKB04lJMDgtLjP/p2qec0x84H8eeYuGm0ZQjIr:GAiagRp2q5eZAIr
Score

1^/10
behavioral11
- Target
  
  04/3d0cb49d33b9bb2462ad183f65e2e11aea3c1eff — копия (3)
- Size
  
  44KB
- MD5
  
  2229190d824f18ea78ad59fe6ee22b63
- SHA1
  
  f73f321849f202dc1e53a2f097e574805cd86cb4
- SHA256
  
  1971f48c01e41613039b4b33209015291286c961e91d3c49d5062fcb45c9c14a
- SHA512
  
  0ee81593069d58b1ef06e523004baff8c46d1214344bdc73319e9f931e96faf71854157357bb3f7c6834408d41d12a06a6ecdc128cca5cef7956f7fca580a124
- SSDEEP
  
  768:NCNS6scOq5FF9N0RDy2RscOq5ex/bSZJTNF9N0RDy2RscOq5ex/bSZJTn:QNXBjrNODyEBjsx/KNODyEBjsx/0
Score

1^/10
behavioral12
- Target
  
  04/3d0cb49d33b9bb2462ad183f65e2e11aea3c1eff — копия (3) — копия
- Size
  
  44KB
- MD5
  
  2229190d824f18ea78ad59fe6ee22b63
- SHA1
  
  f73f321849f202dc1e53a2f097e574805cd86cb4
- SHA256
  
  1971f48c01e41613039b4b33209015291286c961e91d3c49d5062fcb45c9c14a
- SHA512
  
  0ee81593069d58b1ef06e523004baff8c46d1214344bdc73319e9f931e96faf71854157357bb3f7c6834408d41d12a06a6ecdc128cca5cef7956f7fca580a124
- SSDEEP
  
  768:NCNS6scOq5FF9N0RDy2RscOq5ex/bSZJTNF9N0RDy2RscOq5ex/bSZJTn:QNXBjrNODyEBjsx/KNODyEBjsx/0
Score

1^/10
behavioral13
- Target
  
  04/3d0cb49d33b9bb2462ad183f65e2e11aea3c1eff — копия (4)
- Size
  
  44KB
- MD5
  
  2229190d824f18ea78ad59fe6ee22b63
- SHA1
  
  f73f321849f202dc1e53a2f097e574805cd86cb4
- SHA256
  
  1971f48c01e41613039b4b33209015291286c961e91d3c49d5062fcb45c9c14a
- SHA512
  
  0ee81593069d58b1ef06e523004baff8c46d1214344bdc73319e9f931e96faf71854157357bb3f7c6834408d41d12a06a6ecdc128cca5cef7956f7fca580a124
- SSDEEP
  
  768:NCNS6scOq5FF9N0RDy2RscOq5ex/bSZJTNF9N0RDy2RscOq5ex/bSZJTn:QNXBjrNODyEBjsx/KNODyEBjsx/0
Score

1^/10
behavioral14
- Target
  
  04/3d0cb49d33b9bb2462ad183f65e2e11aea3c1eff — копия (4) — копия
- Size
  
  44KB
- MD5
  
  2229190d824f18ea78ad59fe6ee22b63
- SHA1
  
  f73f321849f202dc1e53a2f097e574805cd86cb4
- SHA256
  
  1971f48c01e41613039b4b33209015291286c961e91d3c49d5062fcb45c9c14a
- SHA512
  
  0ee81593069d58b1ef06e523004baff8c46d1214344bdc73319e9f931e96faf71854157357bb3f7c6834408d41d12a06a6ecdc128cca5cef7956f7fca580a124
- SSDEEP
  
  768:NCNS6scOq5FF9N0RDy2RscOq5ex/bSZJTNF9N0RDy2RscOq5ex/bSZJTn:QNXBjrNODyEBjsx/KNODyEBjsx/0
Score

1^/10
behavioral15
- Target
  
  NursultanNextgen2024/jemalloc.dll
- Size
  
  111KB
- MD5
  
  726d3ca3bf8bc182bffc9cc126c243ed
- SHA1
  
  78f043b314a7c8573e6fff69dc558cf1126af225
- SHA256
  
  c708bc4b3015403a5240bd949bc6b98df97c0cfcf5a9a269e7999c4726b76cbe
- SHA512
  
  a90bdc4300e3bb72d0e0df072c97cfd380dadfe3e14117616ee9a282865a696b7c5d238363fa472305c936c44449fe751cc4c5ad7e11b85d3a8faf2380a76736
- SSDEEP
  
  1536:/tUU+1voe+krM51raaETSNBh3okitp6TflKE/lyfW04fEL9Y59C6:b+ZUkrMuHTSNBh3okitQj1lyfWSGu6
Score

1^/10
behavioral16
- Target
  
  NursultanNextgen2024/lwjgl.dll
- Size
  
  234KB
- MD5
  
  340a4e25597be14b9bd6a6c61cfef0d6
- SHA1
  
  c4440d52b24129261e530a55ab87375871e38618
- SHA256
  
  8695f043eccc65091bf8077bbd05281e4ad08081724d2a6d8878f3c8891dfc6e
- SHA512
  
  ee83f21ba058a71af93c35d0cfef4b2a2d97a767aa0d12a0946d0eecae378a24143eac04dc832b06e4e1eab3daee00ca7cc67fbc4b9d337069b0252b068ae112
- SSDEEP
  
  3072:OeJIN2OcGc/dRecVzYk5nC2gc70FmimAYyKr1nBM/UK7MQPUxi9/lo6TAXFjlzXk:DuKz1aYrhA/UK4QPUY92I
Score

1^/10
behavioral17
- Target
  
  NursultanNextgen2024/lwjgl_opengl.dll
- Size
  
  7.4MB
- MD5
  
  e669283790077343477be2e0a7578891
- SHA1
  
  5b6e41b930aedcc1f6ccd9301448e6c0eacc1315
- SHA256
  
  b11625c73e8ef0f76058b2ef7d7f09dc3453988eba227e9d7b2310eea923d7a9
- SHA512
  
  f81376c9727614d12a1825c71b93024ff9659822f6dc8f660277e85467081e1755ced1e53241d6009b09214c5f7fd0cfab47383bb6a42077757b0bd1cd2fa71b
- SSDEEP
  
  98304:8mg7qz9u16T8R2y1fUv50DKKNUqGX1Y5l533y9SSFr32W3:8vqRu16T8RpfSaDKKNUqGX032z3Z3
Score

1^/10
behavioral18
- Target
  
  NursultanNextgen2024/lwjgl_stb.dll
- Size
  
  102KB
- MD5
  
  b5ee40662104194eb904fd559d5e781e
- SHA1
  
  224a48ab7ba6fcdbf684ca841d059c9bd297376e
- SHA256
  
  2865f9df4a6635135fe40029e43e76e11287c2deb30e4b023c7acbfd896aca58
- SHA512
  
  35f61a019be990ab65316e03ca6de3691426da1d232d1caf90e0d8dcc3c020a7c6db13207fbbbad74b39b653740594a26a8038c43ce1d478c17090209b75962c
- SSDEEP
  
  1536:CqP4/ysXsu3E2BuY/5dCFegxqN9BBJ5QBJXM+ETV4JJARDeQfLpcI:C5/GYRdfBJ5QBJ7lC7La
Score

1^/10
behavioral19
- Target
  
  NursultanNextgen2024/minecraft.jar
- Size
  
  36.6MB
- MD5
  
  1bc56c1c09bb5d108365c0992291f5c6
- SHA1
  
  7c47e8db8b527b256520499033f0c39ab2fee449
- SHA256
  
  15788f4491bbaefd419c7a152a2ce35e59ad827218260a10430a2fcf23e30cf6
- SHA512
  
  a283f96cc878a88125cdb1e959f17044ddcb4031e566f4a3273012e4cbfc568004b2a25c54896b104fe0ede950193b518f6be283de260679871e8860ea88c86d
- SSDEEP
  
  786432:J67l/W65D0Dspv3aagZb+1VBy3W8B4YrA2ysrjAAi81iVZV6zihX1:el/94Y93gb+1VAP4YrA2y5AnCZVrf
Score

7^/10

discovery
- Modifies file permissions
  discovery
- Drops desktop.ini file(s)
behavioral20
- Target
  
  NursultanNextgen2024/natives.rar
- Size
  
  130.7MB
- MD5
  
  0996f1c0771894aa1bfe7f0aa9da7b6e
- SHA1
  
  e95a44d91e5314d7cecb00d8daa97f44c2a2e068
- SHA256
  
  750ebb269fea4f5ccc14fc842b65dac8c3fafab11b3ebd490740a4b6aeb9be89
- SHA512
  
  41eb66d59ca43215c446cb30d1f70968b32b490d2ec1701b96f669a969c439a6c4a47364560e39cf95f87cef9045c63799c9dbcb6b017243f91365ecaffb7531
- SSDEEP
  
  3145728:XFio95ER6bpdVhje9dhZMKHhh+jV3n5iyWKcLMlESZ8iX/0K:CR63VhjePhZlT+pnPWKqMlNZ3MK
Score

3^/10
behavioral21
- Target
  
  natives/Nursultan.dll
- Size
  
  130.9MB
- MD5
  
  677fade82777815bfa26725e136d3791
- SHA1
  
  3ede1c959e60cca82c44a8124eba232b24efb63c
- SHA256
  
  97fd7c6ad118abc2af2b5454c7aeae413ecd21dae7be66830e30b5dd09d6b1e4
- SHA512
  
  8b005413ea6b1163ba056cac618012513abe745505ca50df0d145666cf2deb6b4d0db132b352cc7c62538b9295aefb83fa200492143487be83cc7dd3dceeb346
- SSDEEP
  
  3145728:sxez3Uijs5lAL/k13DD6Dw5jIDjjr2n0JBM5b8A1Ks6:s631js5l+uH6DwjIDjjc0UOA4
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral22
- Target
  
  natives/OpenAL.dll
- Size
  
  1.0MB
- MD5
  
  a21338306c8027ebc459c57db8459777
- SHA1
  
  dc8f7a5704164fe3dff3631c326bab7159a9358d
- SHA256
  
  1e128050e6ecd9da7a030f76b24d93a1dcb7de55b02d80cd2e2683818e895b5a
- SHA512
  
  eb80fc1924985db488175ee87389cf8ce7e851f78370f339a77ff09d7323ce5fee2e63e3562d299a6436a4d5f31cce0194fe2d1c9c4cc47809ba6d3cfb8a47eb
- SSDEEP
  
  24576:Xr0+fjUIVeMqRF/HuYDstAyAS7vUipuBuAEgFpti33Ja:PjF7qRF/HYrZvUnBuAjpti33M
Score

1^/10
behavioral23
- Target
  
  natives/SAPIWrapper_x64.dll
- Size
  
  83KB
- MD5
  
  214a0bc5ae5882495d94f7779d64b323
- SHA1
  
  c4a293116e7531d950db2d5ea737e61a9912b61d
- SHA256
  
  a8b701f1ed640bfc7e842f9bc07dd493fad3284f15bc1fa9dfc15371733d6326
- SHA512
  
  0da432d50569f753c0c9831b8854732c0e23fb382ef36d17a1d460e8e4c431495ce0358cc658da87d19e39c58230370423a58adabdf3f92a578a2279d84a7e58
- SSDEEP
  
  1536:/0tGA00KTHlHZeCbxnnQOzAGg1wsWjGpRsBQ+8/iJyzfGdc9dlVkloExc:/0tgTTFHZj9nnQOz1I0GpRsBQ+8/iJyZ
Score

1^/10
behavioral24
- Target
  
  natives/glfw.dll
- Size
  
  347KB
- MD5
  
  532f9686b0b55b3d7cf9f6733f29ba28
- SHA1
  
  9d95a8f52cbd48ab87937714eb4fd2129ed10f0a
- SHA256
  
  7cc30e89f7fd61ca8532b4ecb9e05598cf426d0a336bc382a128e28b824a8962
- SHA512
  
  6e6fe022238e69565fed6cb85fa74b913aed187487da4133a3e14b7eca230bbf5d70c8ab88d02b15e68a0a10549130ff2b0f2eb7d85ef3af8f92218327cfadfc
- SSDEEP
  
  6144:BzJVXAXWofCvG4AnlKVGb8Z7ESBI5yTAdj:BzJVQXW6CvFAlOxzG
Score

1^/10
behavioral25
- Target
  
  natives/jemalloc.dll
- Size
  
  248KB
- MD5
  
  cdcaa2d4874a0aaab526c52e1fff2fea
- SHA1
  
  8a6eb00b934da6c97b0dc9d2dc321843076c8987
- SHA256
  
  b147a3cc1fce8a514a558a030fe647a4a91761769eedec1c1ca2be1cd712a9e8
- SHA512
  
  270ae883818c2cea891c3efae717aa3f455c902721ad80441b0f2b28e58bf9aeba67bb1fb65d76f20d09a4c937a089ee1018439b3815b9fcdb7d7fdcce704853
- SSDEEP
  
  6144:5ISPvZG+86Mzlpb2mnk5uIXhy3hKT4W5i6wb:5n86MppbkxwKMb
Score

1^/10
behavioral26
- Target
  
  natives/lwjgl.dll
- Size
  
  439KB
- MD5
  
  310adc26c92b020fb6d2944092d81312
- SHA1
  
  d01410449d2402a952e9a6063699f1868196883f
- SHA256
  
  207fcf6f27e60600772d202f52ba00edcd085048da30523d3ac03092dd30f873
- SHA512
  
  db4c6f1c8accea57ad395be51f3fd673cd5577b955ea5051ffd2269c1fa62437e18753104499ecd0af954fd5fc6a9478a13f499f68dc1e12295823f7120ede2d
- SSDEEP
  
  6144:02gUXvUg6HVz/8rCkEZK+rY1ELoR18+D:02gUXvUnF/m8VNkR3
Score

1^/10
behavioral27
- Target
  
  natives/lwjgl_opengl.dll
- Size
  
  333KB
- MD5
  
  780ed18868c28c0c249379982ea3297a
- SHA1
  
  8e9836dd0d1691356db654aa02533ad80e9bf52c
- SHA256
  
  92aec0f2b142a56ad8f361919ee0e6b387c92269efc9645071db6561ae9b6324
- SHA512
  
  430136fa22df4753c460ba4f3bfe18f9be1b1d0f0b59deedb9d5ba1e1db54ae5da3a74c3951eb59ae0b8760b5b6806373a76811c5b6f69f18bd966978f5d0e1f
- SSDEEP
  
  3072:4LVyef0be4PP+OI7RSW3Dm/W99vMdvBAoF/5OZX2lh2mH3+F5Tye:MVrQnXrW3iWCaZeO
Score

1^/10
behavioral28
- Target
  
  natives/lwjgl_stb.dll
- Size
  
  488KB
- MD5
  
  236817b9ba4f101e25518f1158b7691f
- SHA1
  
  8b047fb3f6c31946fe33157e7912ac31595cd3b8
- SHA256
  
  64b424ce5142ce23b43e2e2bc5cc8543add7c0037a151b279e4e17aa7f7600a0
- SHA512
  
  bc5624cc4b08f75247ff6c53f737be9938199273a45065a8fb05b6057aa7bbd1a39a1b59adb86d952a2680080dbb1ef3483a8e054029f0bf62395e0c551dbe9c
- SSDEEP
  
  12288:kJ3JRsrmLj3DyaVfBrWFWplDFRWeotDqR:UngmLTDyaVJrWQXDFgeUqR
Score

1^/10
behavioral29
- Target
  
  natives/lwjgl_tinyfd.dll
- Size
  
  209KB
- MD5
  
  5dc7452c51330beb7a178d7093cdac49
- SHA1
  
  ec0fd8007afba6697d5b3b8249b5be27096a0ce8
- SHA256
  
  696a87865bf27f2cb9bc866e6d75e1a4ee3e8c469180cb9f8ebb90a2af876d10
- SHA512
  
  a671123d7ea2f5dd2f307e19627b456b7a1fe62920c64cb08fdcc4be5f0ba017c5b72a0e9ba428fa5996a82584e039818bc41051b7e883d70252b69926f82716
- SSDEEP
  
  3072:7+Oyz6WBIDhWW3gDYP1EKvqotQZGXNKSMYghpYCS1DQmdJQFACZ1sai3Uzz2KC:7+zxShWW3gDYtC7cXfMY63S1ag/bK
Score

1^/10
behavioral30
- Target
  
  NursultanNextgen2024/rar/UnRAR.exe
- Size
  
  494KB
- MD5
  
  98ccd44353f7bc5bad1bc6ba9ae0cd68
- SHA1
  
  76a4e5bf8d298800c886d29f85ee629e7726052d
- SHA256
  
  e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b
- SHA512
  
  d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f
- SSDEEP
  
  6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
Score

3^/10
behavioral31
- Target
  
  NursultanNextgen2024/start.bat
- Size
  
  100KB
- MD5
  
  45ccb4e03696834d0852bb90f65e3629
- SHA1
  
  0d67056066728699a323f63510cdadefc9504084
- SHA256
  
  7e0903c4f236d2e0e92522ede6284ea24464af4e86c812cce72e897bb2a87754
- SHA512
  
  0c30ab9c768d378d29ad4fdc16d3321038dc71040d041deb8604751f950691aef8a2e6c817578db9057ffb0460f3b3b97f44488f884b2fd7b18f0bde9f2d4561
- SSDEEP
  
  3072:9AP7YD2E0xfyQZbsRdwNWuiTvEoryDJV9MTtnI3:9A8D2x66sRdwku+T4MTtI3
Score

10^/10

phemedrone xmrig defense_evasion evasion execution miner persistence spyware stealer upx
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Drops file in Drivers directory
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Legitimate hosting services abused for malware hosting/C2
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

xmrig

XMRig Miner payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Drops file in Drivers directory

Stops running service(s)

Executes dropped EXE

Reads user/profile data of web browsers

UPX packed file

Legitimate hosting services abused for malware hosting/C2

Power Settings

Drops file in System32 directory

Suspicious use of SetThreadContext

Modifies file permissions

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Phemedrone

xmrig

XMRig Miner payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Drops file in Drivers directory

Stops running service(s)

Executes dropped EXE

Reads user/profile data of web browsers

UPX packed file

Legitimate hosting services abused for malware hosting/C2

Power Settings

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32