Analysis
-
max time kernel
24s -
max time network
9s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-12-2024 14:55
Behavioral task
behavioral1
Sample
Resource.exe
Resource
win11-20241007-en
General
-
Target
Resource.exe
-
Size
137KB
-
MD5
4f38c635b15d7f9087a758baca7c6662
-
SHA1
0cbfe507872829dc19e63436fb8e9759dfb42271
-
SHA256
0404b9addf506f9b143521aed1b3a1003c2c8f16828221946a4d06dac6e85bfd
-
SHA512
dde8048dc7add02f03196438f171c52e6bd04fe099be061c6f2adcb8ed893d4e9279a823d8bd1c6d506d6f1e1857bb1ff5f5a41292e643db8aa6f025f4a8fddb
-
SSDEEP
1536:5huxXrW4Heqv3taHo8a+rIq24GPwfWUzL7SWoWicEmDA1wWu0eja5JUrsD98fp4P:5AxbB+maI8aRqhvja5arGef1G5trgE
Malware Config
Extracted
phemedrone
https://mined.to/gate.php
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3368 Resource.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3368 Resource.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Resource.exe"C:\Users\Admin\AppData\Local\Temp\Resource.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5068