Analysis
-
max time kernel
94s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 21:25
Behavioral task
behavioral1
Sample
465ebfbf2665eece0ef091d113b07a88de4bcd925cfbc9a4d08b939523a6c9a6.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
465ebfbf2665eece0ef091d113b07a88de4bcd925cfbc9a4d08b939523a6c9a6.exe
Resource
win10v2004-20240802-en
General
-
Target
465ebfbf2665eece0ef091d113b07a88de4bcd925cfbc9a4d08b939523a6c9a6.exe
-
Size
122KB
-
MD5
c53d2c231de7b11b3cea7893515db84f
-
SHA1
e5c0ebc4a880d9d7cac3d0debad73f7ae61a4b7a
-
SHA256
465ebfbf2665eece0ef091d113b07a88de4bcd925cfbc9a4d08b939523a6c9a6
-
SHA512
7841578209494a006bfb11007f0378ad9f40c4f2ec1722aea42509e868d956e41e3644c9aad41fb791c7f9cf0a71672f39ebd1185ba191c099b6bec4f84f1e63
-
SSDEEP
3072:64Mr4PdDXmKn1A4iZIjHs1dRH95OwPTGUr:RmB4iT1dlRrGU
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7128957694:AAHNZekiFKhu87NdduDZHCOVdeFFAHP17CM/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 716 465ebfbf2665eece0ef091d113b07a88de4bcd925cfbc9a4d08b939523a6c9a6.exe