Overview

overview

10

Static

static

1

Nursultan ...hk.zip

windows7-x64

1

Nursultan ...hk.zip

windows10-2004-x64

1

Nursultan ...rt.bat

windows7-x64

10

Nursultan ...rt.bat

windows10-2004-x64

4

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Nursultan Alpha By Fleshk.zip

  • Size

    97.8MB

  • Sample

    240627-w8brnawgnq

  • MD5

    01cd8c8066014ca22656001bda5e1cad

  • SHA1

    e6184a3542886ea5048c1605ff31704721b95b7b

  • SHA256

    80b5ec95630e41ab434aa5173bf0e01d649c988c8a808f5c6dc9f5429ec6dea9

  • SHA512

    31deb0eb99745619cb83f8e0ca5c867269c51dba6c36a3260b11d62de425e6cb5708f8ced11091a5ce36dab0a1ef87cddc0e6ced67c44f29d7fb10a7cb74c7b7

  • SSDEEP

    3145728:uXkNG9af8Jo2yViibaJM5qI/qn3C58scDiAQ8j8DwP:uUssR2yUwaisWqn3s8RvQ8j8DwP

Score
10/10
phemedronexmrigdefense_evasionevasionexecutionminerpersistencespywarestealerupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://drive.usercontent.google.com/u/0/uc?id=1uH0vQ_juAop0fqiOEIdPBdq1AMQmvndT&export=download

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7087491532:AAFyJTUKmPdaQsSkA8bsrPF4ocXLBXAI-iI/sendMessage?chat_id=-4169712409

Targets

    • Target

      Nursultan Alpha By Fleshk.zip

    • Size

      97.8MB

    • MD5

      01cd8c8066014ca22656001bda5e1cad

    • SHA1

      e6184a3542886ea5048c1605ff31704721b95b7b

    • SHA256

      80b5ec95630e41ab434aa5173bf0e01d649c988c8a808f5c6dc9f5429ec6dea9

    • SHA512

      31deb0eb99745619cb83f8e0ca5c867269c51dba6c36a3260b11d62de425e6cb5708f8ced11091a5ce36dab0a1ef87cddc0e6ced67c44f29d7fb10a7cb74c7b7

    • SSDEEP

      3145728:uXkNG9af8Jo2yViibaJM5qI/qn3C58scDiAQ8j8DwP:uUssR2yUwaisWqn3s8RvQ8j8DwP

    Score
    1/10
    behavioral1behavioral2

    • Target

      Nursultan Alpha/start.bat

    • Size

      330KB

    • MD5

      4d51a6fcf1d1e0fbd616656feb5641f8

    • SHA1

      c7cac69757bea9e7c820fce38f37d70ff08c146f

    • SHA256

      2613a7f261d596639b1841cc59877b33d5027236b89ae6121f972625a504c48c

    • SHA512

      7d06aebef47071ad253dffda6859849c9c473ba7b7a13079dfb0d758c9b4a468f875921993ae37d4cc5b1be5158102f263f29f1b04a2f84e0adef4f8b712650e

    • SSDEEP

      6144:NgYR1+4N5cnf1HYyu9YgYj91ZfXzjIzK9LRzNPGua1q1qkH4oeO1CWVUNi9S9:NtYRY9a9DPzNYd1JkH4wbVs

    Score
    10/10
    phemedronexmrigdefense_evasionevasionexecutionminerpersistencespywarestealerupx

    • Phemedrone

      An information and wallet stealer written in C#.

      stealerphemedrone

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Creates new service(s)

      persistenceexecution

    • Drops file in Drivers directory

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks