Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 06:15
Behavioral task
behavioral1
Sample
ebea026943b6e923a147fff8cc82f1b03b0ead796272c5d4de268563be321b87N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
ebea026943b6e923a147fff8cc82f1b03b0ead796272c5d4de268563be321b87N.exe
Resource
win10v2004-20241007-en
General
-
Target
ebea026943b6e923a147fff8cc82f1b03b0ead796272c5d4de268563be321b87N.exe
-
Size
138KB
-
MD5
03761d8dac7329f4615f845c2af68020
-
SHA1
0f7609cec5364fedca06126ca22c2d08d8a7a781
-
SHA256
ebea026943b6e923a147fff8cc82f1b03b0ead796272c5d4de268563be321b87
-
SHA512
e491988e9f6e327a3d2cfaee8b7af5246f0bacebd1f07834c796cb2bf0514fb12af6d9415016f12ddd1f36c2ced74d9ab0b31d76f5680951dfccc7a059a380ec
-
SSDEEP
3072:pGyxO6HAjmjaa8OP7BJhi5fkuJ3hevv9CMqK:FOeAija07FhRvvr
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot8096061409:AAHjfIm6J1pNB64BDGreFzTd6Z4HVJYTZUo/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4176 ebea026943b6e923a147fff8cc82f1b03b0ead796272c5d4de268563be321b87N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4176 ebea026943b6e923a147fff8cc82f1b03b0ead796272c5d4de268563be321b87N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebea026943b6e923a147fff8cc82f1b03b0ead796272c5d4de268563be321b87N.exe"C:\Users\Admin\AppData\Local\Temp\ebea026943b6e923a147fff8cc82f1b03b0ead796272c5d4de268563be321b87N.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4176