phemedrone | c93d28e89af52917c466181f07f704b19501d876b43788af4e89ea5e3e9bc433 | Triage

Analysis

max time kernel
6s
max time network
59s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 01:58

Sharing

Report Analysis Logs

General

Target

togo.exe
Size

159KB
MD5

8993b5ec83aa894aea936c3a268bcad1
SHA1

7848e3a3155c386c069495ce0bf0806453d6a338
SHA256

c93d28e89af52917c466181f07f704b19501d876b43788af4e89ea5e3e9bc433
SHA512

cbff3880c90a6b5a6c5f763fe1603627c56911d96395aa92eb81d6ae2b3c27a44040b1e70d2ecac78f02991329b5a7428d4828bc8ee2cf90a5bbf3c573efb487
SSDEEP

3072:RuipBBsGzDvh07fs4RyPB2pMPVlfV9YUVhxPYKBYXylPW9Y/:RhpBBs+DJ07kagV2KYtg

Score

10^/10

phemedrone stealer

Malware Config

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1680 2868 WerFault.exe togo.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

togo.exe

description	pid	process	target process
PID 2868 wrote to memory of 1680	2868	togo.exe	WerFault.exe
PID 2868 wrote to memory of 1680	2868	togo.exe	WerFault.exe
PID 2868 wrote to memory of 1680	2868	togo.exe	WerFault.exe
PID 2868 wrote to memory of 1680	2868	togo.exe	WerFault.exe
PID 2868 wrote to memory of 1680	2868	togo.exe	WerFault.exe
PID 2868 wrote to memory of 1680	2868	togo.exe	WerFault.exe
PID 2868 wrote to memory of 1680	2868	togo.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\togo.exe
"C:\Users\Admin\AppData\Local\Temp\togo.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 760
  2⤵
  - Program crash
  PID:1680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2868-0-0x00000000009F0000-0x0000000000A1E000-memory.dmp

Filesize
184KB

Download
memory/2868-1-0x00000000004A0000-0x00000000004BE000-memory.dmp

Filesize
120KB

Download
memory/2868-2-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download