phemedrone | 08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37 | Triage

Sharing

General

Target

08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37
Size

698KB
Sample

241031-g5d1aasfjq
MD5

150df9d8d8d7dfa6806fd746f5046278
SHA1

145d6bfa4eeceaf3c91e05a955c3ca77ee62fca2
SHA256

08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37
SHA512

f92b5be8839e01d35dfc6e8efa645e2307082fdc754370200774b0f502f107a70a1f52913ec43fffa4d234c79edb5ac3e4cdecfaea08df2c1a89102dbfcbaaf9
SSDEEP

12288:PyveQB/fTHIGaPkKEYzURNAwbAgjsYrWu+bsOWFoS7RxYCcvlZ62sHVRj5:PuDXTIGaPhEYzUzA0DrWu6hTMbDksHVT

Score

10^/10

phemedrone credential_access spyware stealer

Malware Config

Extracted

Family

phemedrone

C2

http://89.23.102.24:80/gate.php

Targets

- Target
  
  08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37
- Size
  
  698KB
- MD5
  
  150df9d8d8d7dfa6806fd746f5046278
- SHA1
  
  145d6bfa4eeceaf3c91e05a955c3ca77ee62fca2
- SHA256
  
  08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37
- SHA512
  
  f92b5be8839e01d35dfc6e8efa645e2307082fdc754370200774b0f502f107a70a1f52913ec43fffa4d234c79edb5ac3e4cdecfaea08df2c1a89102dbfcbaaf9
- SSDEEP
  
  12288:PyveQB/fTHIGaPkKEYzURNAwbAgjsYrWu+bsOWFoS7RxYCcvlZ62sHVRj5:PuDXTIGaPhEYzUzA0DrWu6hTMbDksHVT
Score

10^/10

phemedrone credential_access spyware stealer
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- Phemedrone family
  phemedrone
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

phemedronecredential_accessspywarestealer

behavioral2

phemedronecredential_accessspywarestealer