General
-
Target
c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6.ps1
-
Size
208B
-
Sample
241205-dsymdasjbr
-
MD5
f74352d968ebe606fcc81a9d827e5ccf
-
SHA1
1d6b0838ef4e437998b11ea7c15691e483d7b9d6
-
SHA256
c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6
-
SHA512
b8cf2b1d9fd7b4c2557918d05b89cc179f60849c6959dcefd92a26619c4af53cd5deb13bca6b9028af1934628626a3f0d27c463f38d4f73f5e1aedc37c080178
Static task
static1
Behavioral task
behavioral1
Sample
c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6.ps1
Resource
win7-20240903-en
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7772275304:AAF3OSvWBzn5cIHkGD9ueBFz5ed91u-60-U/sendDocument
Targets
-
-
Target
c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6.ps1
-
Size
208B
-
MD5
f74352d968ebe606fcc81a9d827e5ccf
-
SHA1
1d6b0838ef4e437998b11ea7c15691e483d7b9d6
-
SHA256
c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6
-
SHA512
b8cf2b1d9fd7b4c2557918d05b89cc179f60849c6959dcefd92a26619c4af53cd5deb13bca6b9028af1934628626a3f0d27c463f38d4f73f5e1aedc37c080178
-
Phemedrone family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-