Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
12-01-2025 03:11
General
-
Target
Nucovyc.exe
-
Size
121KB
-
MD5
97ef39939aa80c9ce0c408cfe73ff5eb
-
SHA1
9ff05a31dd8704fb9b5645567ab4eaf4f36b0387
-
SHA256
100ccca5c8ea5f76add93243fc2a8a30d638bdb24a95c832b7eadb573f70e010
-
SHA512
c79c8326a9b874ff456d07aef715b66d0efae5cea05f511f16d062c463255127b5093666c0446da4b6cdffc0ba09d7c641e21eba08fdd5929b7a357d9eb59ce0
-
SSDEEP
3072:1aI86MVB5BGziRG3vjCB5HlN4HSTswpL:E/giRwGLIHSTswp
Score
10/10
Malware Config
Extracted
Family
phemedrone
C2
https://api.telegram.org/bot7138327209:AAHwN-UO0-GBO8id5b_YFZRrxJ7ZaB0MYtc/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nucovyc.exe"C:\Users\Admin\AppData\Local\Temp\Nucovyc.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1980 -s 16082⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
144KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB