General

  • Target

    c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6.ps1

  • Size

    208B

  • Sample

    241205-dsymdasjbr

  • MD5

    f74352d968ebe606fcc81a9d827e5ccf

  • SHA1

    1d6b0838ef4e437998b11ea7c15691e483d7b9d6

  • SHA256

    c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6

  • SHA512

    b8cf2b1d9fd7b4c2557918d05b89cc179f60849c6959dcefd92a26619c4af53cd5deb13bca6b9028af1934628626a3f0d27c463f38d4f73f5e1aedc37c080178

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7772275304:AAF3OSvWBzn5cIHkGD9ueBFz5ed91u-60-U/sendDocument

Targets

    • Target

      c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6.ps1

    • Size

      208B

    • MD5

      f74352d968ebe606fcc81a9d827e5ccf

    • SHA1

      1d6b0838ef4e437998b11ea7c15691e483d7b9d6

    • SHA256

      c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6

    • SHA512

      b8cf2b1d9fd7b4c2557918d05b89cc179f60849c6959dcefd92a26619c4af53cd5deb13bca6b9028af1934628626a3f0d27c463f38d4f73f5e1aedc37c080178

    • Phemedrone

      An information and wallet stealer written in C#.

    • Phemedrone family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks