Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2024 17:36
Behavioral task
behavioral1
Sample
WW7WS_Loader.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
WW7WS_Loader.exe
Resource
win10v2004-20241007-en
General
-
Target
WW7WS_Loader.exe
-
Size
116KB
-
MD5
9957ff72b98d2fd3819a1c3a5bb7c266
-
SHA1
27ee49406e1eaaf4ca84e9119baf83d79e199df3
-
SHA256
103b15ed69b33225af3886c39dca69d542aba6907567bea4f4854a80fe9ca34e
-
SHA512
52e8cb098534a39b7ad5c251db05fed8b414012f824ced61ba6dd53e29cb8f08e870c19a74906112f2fa3ba60abfcd1d7f3170ac27481a918b1b818bebcb251c
-
SSDEEP
1536:RVJmqFbDs4TsmZn3RAFtVS+8IdO52M68XiNL5iDNifNJa7sxRlXKfsfzudtBE:D5FbNTsGmcxoO5K8Xe5iK07swfs
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7250665686:AAHW0YznZP8w-6An0q8-OF3zVVfXyjQuxLM/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3184 WW7WS_Loader.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3184 WW7WS_Loader.exe