Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 12:46
Behavioral task
behavioral1
Sample
498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9.exe
Resource
win10v2004-20241007-en
General
-
Target
498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9.exe
-
Size
116KB
-
MD5
78c586522f986994aa77c466c9d678a8
-
SHA1
4b9b13c3782ae532a140a33ba673dc65a37aa882
-
SHA256
498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9
-
SHA512
707ff5fcbb5e473583bec2d54aac25a3febe262c06025c9d88ddd5d30449b1454289eaa63bec848ca69147232474731052bef710e60c042d0c80e9c02486b5bb
-
SSDEEP
1536:7DG01nFGLBQ+ZH3RSR9CJd6FLVTS6OSjl5eEJXopJ7xfYUCFkhTy3QFTiKCq:nFFFiMWJd6F5TnO65r+T1JQoTy3qTiY
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7105333862:AAE6XaSuAERR5F_VgpAajrgcx8b0mCmMnqM/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2172 498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2056 2172 498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9.exe 31 PID 2172 wrote to memory of 2056 2172 498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9.exe 31 PID 2172 wrote to memory of 2056 2172 498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9.exe"C:\Users\Admin\AppData\Local\Temp\498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2172 -s 16802⤵PID:2056
-