phemedrone | a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af

General

Target

a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af.exe
Size

2.5MB
MD5

5d4392b56aa4ebac400bbe86fe5d0767
SHA1

a68a6004e111ba899254aa015d93706037c447ff
SHA256

a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af
SHA512

a2de9b684163bfad13aa23f76f32b4122ef8b9dd3a4ab557d1b395c13aafa62fd475a657cb4cc79183543a0ac2444dc457586ae17079764c27a5ffc94c8230f9
SSDEEP

49152:o3s23i7y2K9TYDnORn+JuXbOoGlQXlSHcBA5TkfZnIZirM5RxivYp:

Score

10^/10

phemedrone spyware stealer

Malware Config

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af.exe

Executes dropped EXE 2 IoCs

Processes:

VWQ50RMO.exeZF167JVU.exe

pid process

1876 VWQ50RMO.exe
1656 ZF167JVU.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1876	VWQ50RMO.exe
1656	ZF167JVU.exe

flow	ioc
18	ip-api.com

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

ZF167JVU.exe

pid	process
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe
1656	ZF167JVU.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ZF167JVU.exe

description pid process

Token: SeDebugPrivilege 1656 ZF167JVU.exe

description	pid	process
Token: SeDebugPrivilege	1656	ZF167JVU.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af.exe

description	pid	process	target process
PID 652 wrote to memory of 1876	652	a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af.exe	VWQ50RMO.exe
PID 652 wrote to memory of 1876	652	a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af.exe	VWQ50RMO.exe
PID 652 wrote to memory of 1876	652	a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af.exe	VWQ50RMO.exe
PID 652 wrote to memory of 1656	652	a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af.exe	ZF167JVU.exe
PID 652 wrote to memory of 1656	652	a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af.exe	ZF167JVU.exe

C:\Users\Admin\AppData\Local\Temp\a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af.exe
"C:\Users\Admin\AppData\Local\Temp\a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:652
- C:\Users\Admin\AppData\Local\Temp\Low\VWQ50RMO.exe
  "C:\Users\Admin\AppData\Local\Temp\Low\VWQ50RMO.exe"
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Low\VWQ50RMO.exe

Filesize
868KB

MD5
53406e9988306cbd4537677c5336aba4

SHA1
06becadb92a5fcca2529c0b93687c2a0c6d0d610

SHA256
fa1afff978325f8818ce3a559d67a58297d9154674de7fd8eb03656d93104425

SHA512
4f89da81b5a3800aa16ff33cc4a42dbb17d4c698a5e2983b88c32738decb57e3088a1da444ad0ec0d745c3c6b6b8b9b86d3f19909142f9e51f513748c0274a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\VWQ50RMO.exe

Filesize
868KB

MD5
53406e9988306cbd4537677c5336aba4

SHA1
06becadb92a5fcca2529c0b93687c2a0c6d0d610

SHA256
fa1afff978325f8818ce3a559d67a58297d9154674de7fd8eb03656d93104425

SHA512
4f89da81b5a3800aa16ff33cc4a42dbb17d4c698a5e2983b88c32738decb57e3088a1da444ad0ec0d745c3c6b6b8b9b86d3f19909142f9e51f513748c0274a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\VWQ50RMO.exe

Filesize
868KB

MD5
53406e9988306cbd4537677c5336aba4

SHA1
06becadb92a5fcca2529c0b93687c2a0c6d0d610

SHA256
fa1afff978325f8818ce3a559d67a58297d9154674de7fd8eb03656d93104425

SHA512
4f89da81b5a3800aa16ff33cc4a42dbb17d4c698a5e2983b88c32738decb57e3088a1da444ad0ec0d745c3c6b6b8b9b86d3f19909142f9e51f513748c0274a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe

Filesize
83KB

MD5
ae881baa8c3a00a94e5994826bdac3aa

SHA1
3f81a9e1cb712b2f69c8ab9104469a436c797706

SHA256
2c669f5390b14c63c91f4898419792aaee9c0b996dc348419e2ee84179cf3531

SHA512
2e1845235d5cb2c710ab8db068cc9cf744ccd2809e8293ef4ce27d090d071a645524d23517f74bf841aca21ddeea7daa21621b537a63a7ec356db7be6dfc21fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe

Filesize
83KB

MD5
ae881baa8c3a00a94e5994826bdac3aa

SHA1
3f81a9e1cb712b2f69c8ab9104469a436c797706

SHA256
2c669f5390b14c63c91f4898419792aaee9c0b996dc348419e2ee84179cf3531

SHA512
2e1845235d5cb2c710ab8db068cc9cf744ccd2809e8293ef4ce27d090d071a645524d23517f74bf841aca21ddeea7daa21621b537a63a7ec356db7be6dfc21fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe

Filesize
83KB

MD5
ae881baa8c3a00a94e5994826bdac3aa

SHA1
3f81a9e1cb712b2f69c8ab9104469a436c797706

SHA256
2c669f5390b14c63c91f4898419792aaee9c0b996dc348419e2ee84179cf3531

SHA512
2e1845235d5cb2c710ab8db068cc9cf744ccd2809e8293ef4ce27d090d071a645524d23517f74bf841aca21ddeea7daa21621b537a63a7ec356db7be6dfc21fc

Download Submit
memory/652-1-0x00007FFA34D80000-0x00007FFA35841000-memory.dmp

Filesize
10.8MB

Download
memory/652-0-0x0000000000B40000-0x0000000000DC2000-memory.dmp

Filesize
2.5MB

Download
memory/652-28-0x00007FFA34D80000-0x00007FFA35841000-memory.dmp

Filesize
10.8MB

Download
memory/1656-24-0x0000000000CA0000-0x0000000000CBC000-memory.dmp

Filesize
112KB

Download
memory/1656-25-0x00007FFA34D80000-0x00007FFA35841000-memory.dmp

Filesize
10.8MB

Download
memory/1656-26-0x000000001BAF0000-0x000000001BB00000-memory.dmp

Filesize
64KB

Download
memory/1656-29-0x00007FFA34D80000-0x00007FFA35841000-memory.dmp

Filesize
10.8MB

Download
memory/1656-30-0x000000001BAF0000-0x000000001BB00000-memory.dmp

Filesize
64KB

Download
memory/1656-32-0x00007FFA34D80000-0x00007FFA35841000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads