phemedrone | 99b3fa12a8ef18b29156fb8e604cd7a2b11db9f82486ba024ab8c18e1bff997e | Triage

Submit
Reports

Overview

overview

Static

static

1

Nursultan_Nextgen.zip

windows10-1703-x64

Resubmissions

26-07-2024 11:54

240726-n2vbeszckd 4

26-07-2024 11:41

240726-ntvl8avgrp 10

Sharing

General

Target

Nursultan_Nextgen.zip
Size

97.9MB
Sample

240726-ntvl8avgrp
MD5

9eff264f3d9a7ca42764c9f94d7dd055
SHA1

6b1f4d465908eedf63592f699c6bea8a0075f72b
SHA256

99b3fa12a8ef18b29156fb8e604cd7a2b11db9f82486ba024ab8c18e1bff997e
SHA512

a8a3d256ca210eede32a86bf53fa07e7a14009962826c9b09b511a38f9023a4bec20a810a472eb76c6eab291383913d212826b4dc3e579f82de4e78f54eef5de
SSDEEP

3145728:2/pM+wahZ4nNjMtFpB5TW3oAphPJ+R2PIhxru:2/zlZGYHpB1W3oAphPA2Puu

Score

10^/10

phemedrone xmrig defense_evasion discovery evasion execution miner persistence stealer upx

Static task

static1

Behavioral task

behavioral1

Sample

Nursultan_Nextgen.zip

Resource

win10-20240404-en

phemedrone xmrig defense_evasion discovery evasion execution miner persistence stealer upx

windows10-1703-x64

22 signatures

300 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://drive.usercontent.google.com/u/0/uc?id=1uH0vQ_juAop0fqiOEIdPBdq1AMQmvndT&export=download

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7230260246:AAFy1nkEQHkcEude1v3boXRM_xhzB5HwGJ0/sendDocument

Targets

- Target
  
  Nursultan_Nextgen.zip
- Size
  
  97.9MB
- MD5
  
  9eff264f3d9a7ca42764c9f94d7dd055
- SHA1
  
  6b1f4d465908eedf63592f699c6bea8a0075f72b
- SHA256
  
  99b3fa12a8ef18b29156fb8e604cd7a2b11db9f82486ba024ab8c18e1bff997e
- SHA512
  
  a8a3d256ca210eede32a86bf53fa07e7a14009962826c9b09b511a38f9023a4bec20a810a472eb76c6eab291383913d212826b4dc3e579f82de4e78f54eef5de
- SSDEEP
  
  3145728:2/pM+wahZ4nNjMtFpB5TW3oAphPJ+R2PIhxru:2/zlZGYHpB1W3oAphPA2Puu
Score

10^/10

phemedrone xmrig defense_evasion discovery evasion execution miner persistence stealer upx
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Drops file in Drivers directory
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Power Settings

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Ignore Process Interrupts

Impair Defenses

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

phemedronexmrigdefense_evasiondiscoveryevasionexecutionminerpersistencestealerupx

© 2018-2024

Terms | Privacy