phemedrone | 97b5b7b3b23a2b928001416adc5d0f296c7250347c4785b5f9761cada5d3abf0 | Triage

Submit
Reports

Overview

overview

Static

static

PhemedroneStealer.zip

windows10-2004-x64

Sharing

General

Target

PhemedroneStealer.zip
Size

7.1MB
Sample

231114-2g6qlsgb94
MD5

5c34d6f02a963003637d026723a15383
SHA1

2e610cf6026665601b9c780af9475508c4681f95
SHA256

97b5b7b3b23a2b928001416adc5d0f296c7250347c4785b5f9761cada5d3abf0
SHA512

0edeb63b5af3dfb95d1db497fa7ee90f23df04a8382c8afeb58ecf5d0b400e2ad046e593c618bef279b51cbf3e7e39fbbedf7f1d3f9a5ec59e0a193f6f482eae
SSDEEP

196608:ojPTTPzqUMNpv5k4kNSVTPLpSybCWtbXIz8cN2Lj8/2dlQFClzH:G7qrNgR4XUgLh4ocEnWgu4b

Score

10^/10

phemedrone evasion spyware stealer upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

PhemedroneStealer.zip

Resource

win10v2004-20231023-en

phemedrone evasion spyware stealer upx

windows10-2004-x64

22 signatures

1800 seconds

Malware Config

Extracted

Family

phemedrone

C2

http://rakishev.net/wp-load.php

https://api.telegram.org/bot6421901210:AAErC913wmPS9T_-XJrvOWFdTxw2TkS248A/sendMessage?chat_id=5896425070

162.213.251.134:228

https://api.telegram.org/bot6301483836:AAEZRbk8wKzuJcYx_EdZAXoUXM97mUrZnL0/sendMessage?chat_id=5896425070

https://kenesrakishev.net/wp-load.php

https://rakishev.net/ok.php

http://rakishev.net/wp-cron.php

http://rakishev.net/wp-admin/admin-ajax.php

162.213.251.134:833

Targets

- Target
  
  PhemedroneStealer.zip
- Size
  
  7.1MB
- MD5
  
  5c34d6f02a963003637d026723a15383
- SHA1
  
  2e610cf6026665601b9c780af9475508c4681f95
- SHA256
  
  97b5b7b3b23a2b928001416adc5d0f296c7250347c4785b5f9761cada5d3abf0
- SHA512
  
  0edeb63b5af3dfb95d1db497fa7ee90f23df04a8382c8afeb58ecf5d0b400e2ad046e593c618bef279b51cbf3e7e39fbbedf7f1d3f9a5ec59e0a193f6f482eae
- SSDEEP
  
  196608:ojPTTPzqUMNpv5k4kNSVTPLpSybCWtbXIz8cN2Lj8/2dlQFClzH:G7qrNgR4XUgLh4ocEnWgu4b
Score

10^/10

phemedrone evasion spyware stealer upx
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

phemedroneevasionspywarestealerupx

© 2018-2025

Terms | Privacy