General

  • Target

    88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3

  • Size

    2.5MB

  • Sample

    240906-v2zpgayfpr

  • MD5

    ca62296a0cc72100cffc593341d7a16f

  • SHA1

    99564c5ef198c932e322d6f79eb108f38744c291

  • SHA256

    88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3

  • SHA512

    b46f471d679449b9db0efa4a17454e6455b640ef9f3037d640300ac0a029a058c90cfdd9edc57064d8a65873988835fd0b8807ad948863859e6d70bd628b7779

  • SSDEEP

    49152:Ym2S3vX223l/EgY8LEvE0wPV9ZbfOeirG8QQHFdpqqDf9SEt:Ym2S/RVjfLEvYfNSGovf9Pt

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7211678746:AAHAXg0HcpRkdl1oL31ijx8YDZHO7dYfOlQ/sendDocument

Targets

    • Target

      88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3

    • Size

      2.5MB

    • MD5

      ca62296a0cc72100cffc593341d7a16f

    • SHA1

      99564c5ef198c932e322d6f79eb108f38744c291

    • SHA256

      88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3

    • SHA512

      b46f471d679449b9db0efa4a17454e6455b640ef9f3037d640300ac0a029a058c90cfdd9edc57064d8a65873988835fd0b8807ad948863859e6d70bd628b7779

    • SSDEEP

      49152:Ym2S3vX223l/EgY8LEvE0wPV9ZbfOeirG8QQHFdpqqDf9SEt:Ym2S/RVjfLEvYfNSGovf9Pt

    • Phemedrone

      An information and wallet stealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks