Analysis
-
max time kernel
94s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 10:08
Behavioral task
behavioral1
Sample
1896-81-0x0000000000440000-0x000000000089E000-memory.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1896-81-0x0000000000440000-0x000000000089E000-memory.exe
Resource
win10v2004-20241007-en
General
-
Target
1896-81-0x0000000000440000-0x000000000089E000-memory.exe
-
Size
4.4MB
-
MD5
aa352bd398359d6ae3f98cc1b91f0b79
-
SHA1
e4e101b401ba2c070a88722c8d4fa58ecf8ef10d
-
SHA256
5457358583a98b5bd53aa289ea621ec394f13b21aea6d2e2f3d09dcf63475995
-
SHA512
72f5e5196d2ba46823f26165a02c1482b136967a23087a2f818447136043de37dc426101bfd09abb008e73ef51d215bc1469af1dc95f9cfa4f9e5b35c067688e
-
SSDEEP
98304:6E993lwTuntMK6hYLWapqnpjm64cRftE8:62yeLWapqtm8m8
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7748267151:AAHJX2M4rJ5MRUvgJ9XqTgoOgAd1r_j9htM/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3496 1896-81-0x0000000000440000-0x000000000089E000-memory.exe