General

  • Target

    SRTWARE LOADER.zip

  • Size

    2.1MB

  • Sample

    241111-y2axwsymgr

  • MD5

    b96f7bad986c9438c2d4fb1cd7cefe50

  • SHA1

    2e365a8ec7adbab96160e362452e79f3e693daa8

  • SHA256

    f0278f9a1784ea2ed831558adc963c7f8ccf3da06e80d343a21119a5f13adb03

  • SHA512

    33feee40f97c0e5a18eff371c254f49bddfca305dd40d4689604ebf25acd75b6d3b8437555089cc1b513eb1668f58b28c69d3d65bd46c85e0accb697672d0a36

  • SSDEEP

    49152:042VAVX5l+jtev0SSegJny9lwYdORlg1+NzJsDZPVv:04Xk0OegJyltd6eI1Qd

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot6588835363:AAFQ228ubBfAgsCooCro8OibbaVCsDtoWIE/sendDocument

Targets

    • Target

      SRTWARE LOADER.zip

    • Size

      2.1MB

    • MD5

      b96f7bad986c9438c2d4fb1cd7cefe50

    • SHA1

      2e365a8ec7adbab96160e362452e79f3e693daa8

    • SHA256

      f0278f9a1784ea2ed831558adc963c7f8ccf3da06e80d343a21119a5f13adb03

    • SHA512

      33feee40f97c0e5a18eff371c254f49bddfca305dd40d4689604ebf25acd75b6d3b8437555089cc1b513eb1668f58b28c69d3d65bd46c85e0accb697672d0a36

    • SSDEEP

      49152:042VAVX5l+jtev0SSegJny9lwYdORlg1+NzJsDZPVv:04Xk0OegJyltd6eI1Qd

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Phemedrone

      An information and wallet stealer written in C#.

    • Phemedrone family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks