Malware Analysis Report

2024-10-23 19:40

Sample ID 231002-jm77hshh65
Target 58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f
SHA256 58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f
Tags
phemedrone spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f

Threat Level: Known bad

The file 58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f was found to be: Known bad.

Malicious Activity Summary

phemedrone spyware stealer

Phemedrone family

Phemedrone

Reads user/profile data of web browsers

Looks up external IP address via web service

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-02 07:48

Signatures

Phemedrone family

phemedrone

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-02 07:48

Reported

2023-10-02 07:50

Platform

win10v2004-20230915-en

Max time kernel

143s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe"

Signatures

Phemedrone

stealer phemedrone

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe

"C:\Users\Admin\AppData\Local\Temp\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 93.245.36.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 254.210.247.8.in-addr.arpa udp
US 8.8.8.8:53 254.5.248.8.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 254.7.248.8.in-addr.arpa udp
IE 52.111.236.21:443 tcp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/4632-0-0x0000000000AF0000-0x0000000000B0C000-memory.dmp

memory/4632-1-0x00007FFA74F70000-0x00007FFA75A31000-memory.dmp

memory/4632-2-0x000000001BA00000-0x000000001BA10000-memory.dmp

memory/4632-3-0x00007FFA74F70000-0x00007FFA75A31000-memory.dmp

memory/4632-4-0x000000001BA00000-0x000000001BA10000-memory.dmp

memory/4632-6-0x00007FFA74F70000-0x00007FFA75A31000-memory.dmp

memory/3860-7-0x0000026402C40000-0x0000026402C50000-memory.dmp

memory/3860-23-0x0000026402D40000-0x0000026402D50000-memory.dmp

memory/3860-39-0x000002640B0A0000-0x000002640B0A1000-memory.dmp

memory/3860-41-0x000002640B0D0000-0x000002640B0D1000-memory.dmp

memory/3860-42-0x000002640B0D0000-0x000002640B0D1000-memory.dmp

memory/3860-43-0x000002640B1E0000-0x000002640B1E1000-memory.dmp