phemedrone | cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e | Triage

Sharing

General

Target

cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe
Size

6.8MB
Sample

241104-kg12paxfre
MD5

fb72ca714fe862deb161d3d443937314
SHA1

cc15d694a24ab347148d768c54b445690a107bac
SHA256

cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e
SHA512

1f2071b9da49b7813a5653dad076045acf692572d23c3e9b0ac3176046c6f56fa4b27b4d5bea4d7c69a06f8a8f95a58979c5777cb353d0ae05299287f721f413
SSDEEP

196608:R6Y8XMCHGLLc54i1wN+lPIcu9KYK39sI3PPJNMRRccx:6XMCHWUjqcuI3/PJNe

Score

10^/10

phemedrone credential_access execution pyinstaller spyware stealer

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot8091768794:AAFZsJ1h-6BiszgyLm-eH6c-uITQ7Z99Wbc/sendDocument

Targets

- Target
  
  cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe
- Size
  
  6.8MB
- MD5
  
  fb72ca714fe862deb161d3d443937314
- SHA1
  
  cc15d694a24ab347148d768c54b445690a107bac
- SHA256
  
  cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e
- SHA512
  
  1f2071b9da49b7813a5653dad076045acf692572d23c3e9b0ac3176046c6f56fa4b27b4d5bea4d7c69a06f8a8f95a58979c5777cb353d0ae05299287f721f413
- SSDEEP
  
  196608:R6Y8XMCHGLLc54i1wN+lPIcu9KYK39sI3PPJNMRRccx:6XMCHWUjqcuI3/PJNe
Score

10^/10

phemedrone credential_access execution spyware stealer
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- Phemedrone family
  phemedrone
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

phemedronecredential_accessexecutionspywarestealer