General

  • Target

    73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212

  • Size

    358KB

  • Sample

    241113-3akp8svjhk

  • MD5

    6492e47738dd77951bd2f5f9839f6636

  • SHA1

    8a647c9a1594d1b5e16ffcb32de1264787c4a80e

  • SHA256

    73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212

  • SHA512

    e563d188d124071cada50bd3ae8b7b30bfef605b5c1e2a97b3bde39534ed1b03be4cac3a2ef830aa97c77a5778af076a56e96c2f568e5e0c3d8948c796d615ff

  • SSDEEP

    6144:G7yrhcdXOmSnpz70UFuRwo+JcoEej3KFUzR/FLUY+Yw:64UOf0UFTo+JPj36UzR/9Rw

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot5942488573:AAHwpEclqtQTOQ8pXq-JbNtaNF28JxIiT1E/sendDocument

Targets

    • Target

      73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212

    • Size

      358KB

    • MD5

      6492e47738dd77951bd2f5f9839f6636

    • SHA1

      8a647c9a1594d1b5e16ffcb32de1264787c4a80e

    • SHA256

      73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212

    • SHA512

      e563d188d124071cada50bd3ae8b7b30bfef605b5c1e2a97b3bde39534ed1b03be4cac3a2ef830aa97c77a5778af076a56e96c2f568e5e0c3d8948c796d615ff

    • SSDEEP

      6144:G7yrhcdXOmSnpz70UFuRwo+JcoEej3KFUzR/FLUY+Yw:64UOf0UFTo+JPj36UzR/9Rw

    • Phemedrone

      An information and wallet stealer written in C#.

    • Phemedrone family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

MITRE ATT&CK Enterprise v15

Tasks