Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-10-2024 21:58
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20241007-en
General
-
Target
file.exe
-
Size
138KB
-
MD5
cae3f7ae06655eb93f5dfb028ddd3d6d
-
SHA1
54821b16fab00ec529f0b99e1d49de8d291eb492
-
SHA256
1fc74fb83aebbe5a37b41e7a4e900a83288618ca696d76a717e2d6a51fad343f
-
SHA512
e2226e3ba2c9bd079db74dcc0cb87f8d6449c99dfe3d2ccae0dda40b7c1a1ca3b77341e49c72bbb183aca86fd29960a70836bfb758f42c3bf83605b3f808dad8
-
SSDEEP
1536:6KQx+JZ4AV5zOvv24ajo8OFbebA+fnnlNWu0SBs54K4UAfJw1oKrY14a9ilmdz82:6RxSdvzODaM8Olevnlp65mJw1bpuMuf
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot6217988193:AAFiJwdcFHDuCM08fAA_dnBQZGLDPSVjUQY/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2416 file.exe 2416 file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2416 file.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2960 2416 file.exe 32 PID 2416 wrote to memory of 2960 2416 file.exe 32 PID 2416 wrote to memory of 2960 2416 file.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2416 -s 7482⤵PID:2960
-