General

  • Target

    08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37

  • Size

    698KB

  • Sample

    241031-g5d1aasfjq

  • MD5

    150df9d8d8d7dfa6806fd746f5046278

  • SHA1

    145d6bfa4eeceaf3c91e05a955c3ca77ee62fca2

  • SHA256

    08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37

  • SHA512

    f92b5be8839e01d35dfc6e8efa645e2307082fdc754370200774b0f502f107a70a1f52913ec43fffa4d234c79edb5ac3e4cdecfaea08df2c1a89102dbfcbaaf9

  • SSDEEP

    12288:PyveQB/fTHIGaPkKEYzURNAwbAgjsYrWu+bsOWFoS7RxYCcvlZ62sHVRj5:PuDXTIGaPhEYzUzA0DrWu6hTMbDksHVT

Malware Config

Extracted

Family

phemedrone

C2

http://89.23.102.24:80/gate.php

Targets

    • Target

      08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37

    • Size

      698KB

    • MD5

      150df9d8d8d7dfa6806fd746f5046278

    • SHA1

      145d6bfa4eeceaf3c91e05a955c3ca77ee62fca2

    • SHA256

      08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37

    • SHA512

      f92b5be8839e01d35dfc6e8efa645e2307082fdc754370200774b0f502f107a70a1f52913ec43fffa4d234c79edb5ac3e4cdecfaea08df2c1a89102dbfcbaaf9

    • SSDEEP

      12288:PyveQB/fTHIGaPkKEYzURNAwbAgjsYrWu+bsOWFoS7RxYCcvlZ62sHVRj5:PuDXTIGaPhEYzUzA0DrWu6hTMbDksHVT

    • Phemedrone

      An information and wallet stealer written in C#.

    • Phemedrone family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

MITRE ATT&CK Enterprise v15

Tasks