General

  • Target

    UnkwareF12upd.bin

  • Size

    58.4MB

  • Sample

    250119-2k5mqayqb1

  • MD5

    ce1b4c7aaf126ea54942c5e8ad4dcbe7

  • SHA1

    c3ba148562fe1923eba6317d893cd07752e5cfc3

  • SHA256

    8f88794b29f5c10439f36e848db3364230a0828f4f4e44b201afe64d32a3b84e

  • SHA512

    a4942558b19828b8805fbe16d7fc5afe899aaa33b975866935c33afe00ad00248540ab850b6651e95d9fd6e3cb2929675418ded5ed32a34dfddc0d95eaefe923

  • SSDEEP

    1572864:+cKRa7tv/LtKBaXnigTA/kA+hBnzHK3LDGvH/Ku3CEWxCChcmTq3:IRWJLQB2igI6xq7DSfKCVlf3

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7685274426:AAGCiG0lyyKSjROanH8sVwfPt9NV-rMnzbk/sendDocument

Targets

    • Target

      UnkwareF12upd.bin

    • Size

      58.4MB

    • MD5

      ce1b4c7aaf126ea54942c5e8ad4dcbe7

    • SHA1

      c3ba148562fe1923eba6317d893cd07752e5cfc3

    • SHA256

      8f88794b29f5c10439f36e848db3364230a0828f4f4e44b201afe64d32a3b84e

    • SHA512

      a4942558b19828b8805fbe16d7fc5afe899aaa33b975866935c33afe00ad00248540ab850b6651e95d9fd6e3cb2929675418ded5ed32a34dfddc0d95eaefe923

    • SSDEEP

      1572864:+cKRa7tv/LtKBaXnigTA/kA+hBnzHK3LDGvH/Ku3CEWxCChcmTq3:IRWJLQB2igI6xq7DSfKCVlf3

    • Phemedrone

      An information and wallet stealer written in C#.

    • Phemedrone family

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Stops running service(s)

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks