General

  • Target

    72f4c0faaf286728b980c849774d90c73ac529895335e9bd544a230ebba6d396

  • Size

    8.6MB

  • Sample

    240825-s3pvjs1gke

  • MD5

    d932a18c4d08b8f34233a9e6b971b8ee

  • SHA1

    5e9862bc36513e3fcd46536f3fa9cc535c01d35b

  • SHA256

    72f4c0faaf286728b980c849774d90c73ac529895335e9bd544a230ebba6d396

  • SHA512

    de487696eb4b961ed6975767bcdce190dc2671e6a36b668fa64bb742cc40e8ed6f177814e3c48e9e577f6842aee2e94018ee575b5e1f513966004eb1ae91aa57

  • SSDEEP

    196608:fa68kqLxS3sYD9xT0MDfyGr21X5Sp6GemDMPwOSE3WfnCr:zW1ScYD9xgMDfDSpfaMP+no

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7206720228:AAEBZdduavQnTtKEU_zzcbsBpsX39gH7twg/sendDocument

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7206720228:AAEBZdduavQnTtKEU_zzcbsBpsX39gH7twg/sendDocumen

Targets

    • Target

      72f4c0faaf286728b980c849774d90c73ac529895335e9bd544a230ebba6d396

    • Size

      8.6MB

    • MD5

      d932a18c4d08b8f34233a9e6b971b8ee

    • SHA1

      5e9862bc36513e3fcd46536f3fa9cc535c01d35b

    • SHA256

      72f4c0faaf286728b980c849774d90c73ac529895335e9bd544a230ebba6d396

    • SHA512

      de487696eb4b961ed6975767bcdce190dc2671e6a36b668fa64bb742cc40e8ed6f177814e3c48e9e577f6842aee2e94018ee575b5e1f513966004eb1ae91aa57

    • SSDEEP

      196608:fa68kqLxS3sYD9xT0MDfyGr21X5Sp6GemDMPwOSE3WfnCr:zW1ScYD9xgMDfDSpfaMP+no

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Phemedrone

      An information and wallet stealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks