General
-
Target
https://www.mediafire.com/file/v04wcs9dlfq5ke0/VanishRaider-main.rar/file
-
Sample
250320-tk2xtsypw3
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7213845603:AAFFyxsyId9av6CCDVB1BCAM5hKLby41Dr8/sendDocument
Targets
-
-
Target
https://www.mediafire.com/file/v04wcs9dlfq5ke0/VanishRaider-main.rar/file
Score10/10-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Component Object Model Hijacking
1Modify Authentication Process
1Defense Evasion
Modify Authentication Process
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
3Credentials In Files
3