Analysis
-
max time kernel
135s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-10-2024 16:33
Behavioral task
behavioral1
Sample
tmpg45mr2xx.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
tmpg45mr2xx.exe
Resource
win10v2004-20241007-en
General
-
Target
tmpg45mr2xx.exe
-
Size
137KB
-
MD5
e27b299c37caf241ff547c4845efb6d6
-
SHA1
a5b62b4536da6262e18315a44ca5ff7be4dd658f
-
SHA256
7a2e81375e856c2407907599f401b4a5ec43322bc8e5a4847c43a97f4b91af3f
-
SHA512
962f94f887b7d6fa95402bc9ef2fbea68deed0a76871e461176e03ad88d07ded383f244095318aa2499543703654825029299b403a16469c1ad635a143d10fcb
-
SSDEEP
1536:qQfUyJkgcYU/BFI6d75KunrlsCK2Wu01Dy5s5b3x07XSI7UKCWaDCoL3T4NODbio:qQ849/Ud75FnZtCDyK5Tm7iIFCzPi0F
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7580542331:AAGHf6T43IrCaf5fPcI73jO_S0Bs8H-8Nig/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1648 tmpg45mr2xx.exe 1648 tmpg45mr2xx.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1648 tmpg45mr2xx.exe