Phemedrone Stealer

Jane0sint · August 4, 2023, 7:33am

Hello, I propose a rule for phemedron stealer. Exfiltation is carried out through telegram.

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Phemedrone Stealer Exfiltration";
flow: established, to_server;
http.method; 
content: "GET"; 
http.uri;
content: "/bot"; depth: 4;
content: "sendDocument"; distance: 0;
http.host;
content: "api.telegram.org"; 
http.request_body;
content: "-Phemedrone-Report.phem|22|"; depth: 1024; 
classtype: credential-theft;
reference: md5,8b212231bce5312e24ce1c2417f40630;
reference: url,app.any.run/tasks/e70a994d-6a38-483e-99ad-b9ddbfe1b9b7/;
metadata: malware_family Phemedrone, created_at 2023_04_27, former_category MALWARE;
sid: 1; rev: 1;)

Best regards, Jane.

ishaughnessy · August 7, 2023, 9:52pm

Thanks @Jane0sint !
2047068 - ET MALWARE [ANY.RUN] Phemedrone Stealer Exfiltration via Telegram

Topic		Replies	Views
ObserverStealer Rule Signatures	5	583	June 23, 2023
PureLogs Stealer Rule Signatures	12	853	December 28, 2023
WhiteSnake Rule Signatures	4	326	June 17, 2024
Lumma Stealer Configuration Rule Signatures	11	911	December 28, 2023
PennyWise Stealer - Update on rules Rule Signatures	2	432	July 28, 2023

Phemedrone Stealer

Related topics