phemedrone | 59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
05-10-2023 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200exe_JC.exe
Size

230KB
MD5

ea158c59e8f2e24e539e2931688ac52e
SHA1

39290245dc40775d95a3cc792ff41c6e74b7ed57
SHA256

59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200
SHA512

daab2418f17eb0ef7c4ddda330e94ce0c27b8f0cf5c94ff275c031adbf7152101eac98cfb69e2e726c89220190ca314cbcc1b5d17f1cf6409dfe159360f9498f
SSDEEP

6144:J29Np5zgWyMWer84eAXtwNNfCKbOXjQj/YHej:4Npt/pWer84eAXtwNNfCKbOEj/YH

Score

10^/10

phemedrone spyware stealer

Malware Config

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200exe_JC.exe

pid	process
1304	59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200exe_JC.exe
1304	59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200exe_JC.exe
1304	59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200exe_JC.exe
1304	59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200exe_JC.exe
1304	59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200exe_JC.exe
1304	59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200exe_JC.exe
1304	59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200exe_JC.exe
1304	59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200exe_JC.exe
1304	59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200exe_JC.exe
1304	59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200exe_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200exe_JC.exe

description pid process

Token: SeDebugPrivilege 1304 59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200exe_JC.exe

description	pid	process
Token: SeDebugPrivilege	1304	59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200exe_JC.exe

C:\Users\Admin\AppData\Local\Temp\59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200exe_JC.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1304-0-0x0000000001120000-0x0000000001160000-memory.dmp

Filesize
256KB

Download
memory/1304-1-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1304-2-0x000000001AFE0000-0x000000001B060000-memory.dmp

Filesize
512KB

Download
memory/1304-3-0x0000000000580000-0x000000000059C000-memory.dmp

Filesize
112KB

Download
memory/1304-4-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1304-5-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download