Analysis
-
max time kernel
93s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2024 10:59
Behavioral task
behavioral1
Sample
Rajahax.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Rajahax.exe
Resource
win10v2004-20241007-en
General
-
Target
Rajahax.exe
-
Size
138KB
-
MD5
3a2efdd34244d2e32564be1ecd2ae2fb
-
SHA1
a59fe64e0fcd7dd73bf1d6a748e3cf8416eef93f
-
SHA256
248c2fb9b77901a03336a08aed6c8ad459b7853168160f233946b21bf786090f
-
SHA512
3e19c0a0640a5a3ea51743fbba093dae7bd47c83d2a8f406d9872c8bc9cba8a4df28887156fd567e8f2f0436cfb6b80705da98ecde6f992c82441117959af31f
-
SSDEEP
1536:kAxJAVmt6R/ZyWyElr+fuTdOp6dcDw0u0fZwn5y43RMlhfLLjl0ctdZPCs3Kj3h3:kAxJAQt0yWThdOp6bn5yWsdvt/PiSK
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7256179101:AAH9javBF9KWz5fXIR2_YM3Ma3CqowIubKw/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3080 Rajahax.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3080 Rajahax.exe