Phemedrone Stealer

Indicator of Compromises & YARA Rule for Phemedrone Stealer


## Other Phemedrone Stealer Sample Hashes ##

8731e05790767c76250fff12cf1ecbf497889776be13aef569cc71f0aad97039 
b31185a0d4d7d84a3beb7f81f545ddfb057d6047d022b69d9fa69aaba1fafca2 
c969e6bd943c6476eb441a70f17788fc24de61a08cc2c53cec97b384f17e4cf6 
db6fa8cecd6ad1647773914e0f1b07a85ef6e1171e610069feb42122adbfea29
38279fdad25c7972be9426cadb5ad5e3ee7e9761b0a41ed617945cb9a3713702
031a346e370711ec09c56512f76bbce87fb2f2294f35e8d7b13c862e63e26a52
0f9e01f100f9cd8db400504d5994f5c8232c318578bb33b807710289d9ef480c
8873bffb719dfe5a4fdba98f04bb61c079eb678c93079851cd34ebadcc9e2e26
46f5ffcc04ea1eaf09cfce1a9329624c85a5c5435d91444a55ce02fceebfd2f7 
5a9d4557fc72090010a587b6c20bf4cfb38134ba636c3f496e747eba9231910c
7b1850602e686cd018c9b5235363e6ece378c323ab82a12f02d80c25beb6e3cb 
511bac0131f15c8f85eac0412bc93b3d9af477077b5f916346f996319e47a15e 
e9279e7e028a9f198f01201bbdbfa6a8a2d1a7ee53bdd340f2f5a29644549236 
1fee8279856072c3036ca152ed062609f111d6c434d9ee8fe8ad6eb69f03c5d9
5b1b6e7eaad23c4d4be1ab8ba824bc64ba8e4a7eed125827efb2f7d97bc269ab 
cfc09388265be4e0c64d627ae997ce9e38624ab45228971fea8ca761c4f6ed73 
d1933d7741d2c5ff810f37ecc0fc2b04d4d6d7daf05450a9ffd29c35d2cb2c05 
3e103d47994d5cb6f198147cb050ddae313e14dbb16de677b7e4d3b0816e0530
1b97f4fd7610d853b3437757f2b7c118e8e53cc4a54719773c1b657336a5179f
29b7e31d89a8c9ec5c99fa5bd9d2562fc770ea42cf530622b5f9655a2e4469a2
0d079c2cc56a097020e36d0879d4510399b0c2e1474d0e121c486b7a0793197c 
756463b539b6887a2e84a577006c88ba11dca12a09ec5748218dbac8ebbca75a 
b2d606ca1882c8ce28168d2ef90ce34087d76b3fb38c694a77f4c3a226a56539
73f21e4c51e183cdcaa7e5df01b0c3738f01ad7fe0f98198c60c7d519c5e9c73 
7abd9df84ba376dd79ca84a22be1e46e0cd3a7fc90e8fa45848d53cce0a05725
9d0c23542a94064c3372c2ac13ac150904e9ae97666465437b9388789f56976f 
52817df4b19ffc52e81384b3117888fc053326b9635152fcbd7ca62d00801887


## YARA Rule ##

rule MAL_PhemedroneStealer_WIN_PE_Feb15 { 
  meta:
    author = "Gökhan FIRAT" 
    source = "brandefense.io" 
    date = "19.02.2024"
  strings:
    $s1 = "Phemedrone" nocase ascii fullword
    $s2 = "reyvortex" nocase fullword
    $s3 = "TheDyer" fullword

    $h1 = {7E ?? 00 00 04 2C 11 28 ?? 00 00 06 2C 0A 72 ?? ?? 00 70 28 ?? 00 00
    0A 7E ?? 00 00 04 2C 11 28 ?? 00 00 06 2C 0A 72 ?? ?? 00 70 28 ?? 00 00 0A 7E ?? 00 00 04 2C 05 28 ?? 00 00 06 7E ?? 00 00 04 6F ?? 00 00 0A 16 31 05
    28 ?? 00 00 06 2A}
    $h2 = {02 7B ?? 00 00 04 28 1C 00 00 2B 6F ?? 00 00 0A 28 ?? 00 00 06 0A 03
    06 28 ?? 00 00 06 10 01 28 ?? 00 00 06 0B 07 16 07 6F ?? 00 00 0A 1A 59 6F
    ?? 00 00 0A 72 ?? ?? 00 70 28 ?? 00 00 0A 0B 28 ?? 00 00 06 0C 02 72 ?? ??
    00 70 02 7B ?? 00 00 04 28 1B 00 00 2B 28 ?? 00 00 0A 72 ?? ?? 00 70 07 03
    19 8D 19 00 00 1B 25 16 72 ?? ?? 00 70 02 7B ?? 00 00 04 17 9A 6F ?? 00 00 0A 73 ?? 00 00 0A A4 19 00 00 1B 25 17 72 ?? ?? 00 70 72 ?? ?? 00 70 73 ??
    00 00 0A A4 19 00 00 1B 25 18 72 ?? ?? 00 70 08 73 ?? 00 00 0A A4 19 00 00
    1B 28 ?? 00 00 06 2A} 
  condition:
    uint16(0) == 0x5A4D and 
    1 of ($h*) and 
    any of ($s*)
}