General

  • Target

    SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe

  • Size

    5.3MB

  • Sample

    240826-allsfstejd

  • MD5

    6b69cf13f7d2893d69dfaa7ee310b219

  • SHA1

    ea654e62b0a82ed8f4983bceedf1afeedf1a79e8

  • SHA256

    8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9

  • SHA512

    3bc88ce6e5293ff8c9dec3639dc3fc918bee6780e89c0d0e739e750cb9aaf686fe04b2ace630fa3d0445aced6e80e0508be69b997cee9496ee17f4dce035bc05

  • SSDEEP

    98304:R38h3epzb71QGQCPDbZfx8ayCb7BJ5mjwNwwMeZYobSr+v+Z7OGGdJ:R36sdQmRJ8aycBIGpEogKGGd

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/JouxJo2/Fps-Boost/raw/main/Boost.exe

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot6402323442:AAFWbeqB_G8dGNlKcdmB4xeKrL6UBjOz4fg/sendDocument

Targets

    • Target

      SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe

    • Size

      5.3MB

    • MD5

      6b69cf13f7d2893d69dfaa7ee310b219

    • SHA1

      ea654e62b0a82ed8f4983bceedf1afeedf1a79e8

    • SHA256

      8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9

    • SHA512

      3bc88ce6e5293ff8c9dec3639dc3fc918bee6780e89c0d0e739e750cb9aaf686fe04b2ace630fa3d0445aced6e80e0508be69b997cee9496ee17f4dce035bc05

    • SSDEEP

      98304:R38h3epzb71QGQCPDbZfx8ayCb7BJ5mjwNwwMeZYobSr+v+Z7OGGdJ:R36sdQmRJ8aycBIGpEogKGGd

    • Phemedrone

      An information and wallet stealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks