Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-08-2024 00:18
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe
Resource
win10v2004-20240802-en
General
-
Target
SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe
-
Size
5.3MB
-
MD5
6b69cf13f7d2893d69dfaa7ee310b219
-
SHA1
ea654e62b0a82ed8f4983bceedf1afeedf1a79e8
-
SHA256
8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9
-
SHA512
3bc88ce6e5293ff8c9dec3639dc3fc918bee6780e89c0d0e739e750cb9aaf686fe04b2ace630fa3d0445aced6e80e0508be69b997cee9496ee17f4dce035bc05
-
SSDEEP
98304:R38h3epzb71QGQCPDbZfx8ayCb7BJ5mjwNwwMeZYobSr+v+Z7OGGdJ:R36sdQmRJ8aycBIGpEogKGGd
Malware Config
Extracted
https://github.com/JouxJo2/Fps-Boost/raw/main/Boost.exe
Extracted
phemedrone
https://api.telegram.org/bot6402323442:AAFWbeqB_G8dGNlKcdmB4xeKrL6UBjOz4fg/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 26 2732 powershell.exe 28 2732 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1348 Boost.exe -
Loads dropped DLL 6 IoCs
pid Process 5076 SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe 5076 SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe 5076 SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe 5076 SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe 5076 SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe 5076 SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 27 raw.githubusercontent.com 28 raw.githubusercontent.com -
pid Process 2732 powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2732 powershell.exe 2732 powershell.exe 2732 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 1348 Boost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 412 wrote to memory of 5076 412 SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe 85 PID 412 wrote to memory of 5076 412 SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe 85 PID 5076 wrote to memory of 2732 5076 SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe 94 PID 5076 wrote to memory of 2732 5076 SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe 94 PID 2732 wrote to memory of 1348 2732 powershell.exe 95 PID 2732 wrote to memory of 1348 2732 powershell.exe 95 PID 5076 wrote to memory of 4720 5076 SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe 96 PID 5076 wrote to memory of 4720 5076 SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\tmpwtif6tcj.ps13⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\Boost.exe"C:\Users\Admin\AppData\Local\Temp\Boost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:4720
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122KB
MD528bef54bbff157aa133c641580007a84
SHA1d911f3e774104f0143ebda3af72d38669860bb57
SHA256116b4f3a72b2b5252e11a6fe3a431f3fde7db1c1c354d5546531763db55cf574
SHA51232d871a0fb5953de118fb3d05359246b69abb438c8cae493b2442799424afad62bc2cb40a80c659302703a702718792bf327c1ddb1e227e0df42199e086e24a6
-
Filesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
Filesize
81KB
MD5bbe89cf70b64f38c67b7bf23c0ea8a48
SHA144577016e9c7b463a79b966b67c3ecc868957470
SHA256775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723
SHA5123ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1
-
Filesize
119KB
MD5ca4cef051737b0e4e56b7d597238df94
SHA1583df3f7ecade0252fdff608eb969439956f5c4a
SHA256e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b
SHA51217103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3
-
Filesize
153KB
MD50a94c9f3d7728cf96326db3ab3646d40
SHA18081df1dca4a8520604e134672c4be79eb202d14
SHA2560a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31
SHA5126f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087
-
Filesize
812KB
MD5fbd6be906ac7cd45f1d98f5cb05f8275
SHA15d563877a549f493da805b4d049641604a6a0408
SHA256ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0
SHA5121547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
4.3MB
MD5deaf0c0cc3369363b800d2e8e756a402
SHA13085778735dd8badad4e39df688139f4eed5f954
SHA256156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA5125cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
225B
MD5e3599b7e4cee100e5d2e8e5c9434f092
SHA18acb3a58de6f8c68c40e954c19bccadcb3a611ab
SHA2560477c2009f22f8366f975bcbf839c881bef8279032655fa9b66421f403360605
SHA5121de9c56669a4e27b627eab64ba75aa59d044ab7eb511511b100bc8d4f82b4b46967345578d838ead8ccbe8066e909100afc85b07d98920b5c2797cf7336ca12e