General

  • Target

    Nursultan Alpha (prem)_protected.exe

  • Size

    3.3MB

  • Sample

    240829-prjbvatdnr

  • MD5

    668f721351918eb28387e2a7eeb3cb38

  • SHA1

    abd6a58f5a63ab5e0ef5b5c53b049eff6f9c03f7

  • SHA256

    3e8bb255ae08068c909c67d331dfdd92e5ea0b572145d6f7dd7eb67b236b80c0

  • SHA512

    7760b9c8f8e0ba3085d2533822a083706e02d3b14c7d46de02905e65fbc96e65c8b42e4c3e97f3fa7cd2f9547ab14953202f7173f4f3360cb2bbb673cc7a53ef

  • SSDEEP

    98304:LC32Ejo4Phne5FyzECFk8l0o2r4aGYpzgJT:LcKq5e5kvFT0/4ah0N

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7322165665:AAFyOklLwRDgUWXVHyXw6ZlECDoQ6pM7WQ0/sendDocument

Targets

    • Target

      Nursultan Alpha (prem)_protected.exe

    • Size

      3.3MB

    • MD5

      668f721351918eb28387e2a7eeb3cb38

    • SHA1

      abd6a58f5a63ab5e0ef5b5c53b049eff6f9c03f7

    • SHA256

      3e8bb255ae08068c909c67d331dfdd92e5ea0b572145d6f7dd7eb67b236b80c0

    • SHA512

      7760b9c8f8e0ba3085d2533822a083706e02d3b14c7d46de02905e65fbc96e65c8b42e4c3e97f3fa7cd2f9547ab14953202f7173f4f3360cb2bbb673cc7a53ef

    • SSDEEP

      98304:LC32Ejo4Phne5FyzECFk8l0o2r4aGYpzgJT:LcKq5e5kvFT0/4ah0N

    • Phemedrone

      An information and wallet stealer written in C#.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks