phemedrone | c4cdb1f07262532c5ad6c2b11a0647a8c08aff180ca75e40f9b12ce7c6c2b3cb

Analysis

max time kernel
146s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2023 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AllParse_Log/allparse_logs.exe
Size

29.3MB
MD5

bd3b4c0a02882e590abea24128f5891e
SHA1

ccd4a73e6e4bb81d8ebd606948ed33762185b71b
SHA256

c0328ab964eca37b4ee30b09c9471880ae983a9624d7f464322a11cb66790831
SHA512

cae48f6ab19abe6eb20582857787d84f992e4177a13ac59eff435e9e6bfd37edbd10dbcae5e028cc0257603e667be751829ff023e4b4357f2ab68541b1aa8829
SSDEEP

393216:Xf2KVJ31I9jSHDGhAriW1CPwDv3uFhtU2lvzSFrjZtFodPVa79:v2KVPI9j3WZf

Score

10^/10

phemedrone stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot6546988438:AAF4CYLITzgov4BI5_0csUsC5C49FDi5D6Y/sendMessage?chat_id=554005447

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Executes dropped EXE 1 IoCs

Processes:

allparse_logs2.exe

pid process

1724 allparse_logs2.exe

Loads dropped DLL 11 IoCs

Processes:

allparse_logs2.exe

pid	process
1724	allparse_logs2.exe
1724	allparse_logs2.exe
1724	allparse_logs2.exe
1724	allparse_logs2.exe
1724	allparse_logs2.exe
1724	allparse_logs2.exe
1724	allparse_logs2.exe
1724	allparse_logs2.exe
1724	allparse_logs2.exe
1724	allparse_logs2.exe
1724	allparse_logs2.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 ip-api.com

flow	ioc
31	ip-api.com

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

allparse_logs2.execodec-library.exe

pid	process
1724	allparse_logs2.exe
1724	allparse_logs2.exe
1724	allparse_logs2.exe
1724	allparse_logs2.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe
3448	codec-library.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

allparse_logs2.execodec-library.exe

description pid process

Token: SeDebugPrivilege 1724 allparse_logs2.exe
Token: SeDebugPrivilege 3448 codec-library.exe

description	pid	process
Token: SeDebugPrivilege	1724	allparse_logs2.exe
Token: SeDebugPrivilege	3448	codec-library.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

allparse_logs.exeallparse_logs2.execmd.exe

description	pid	process	target process
PID 2196 wrote to memory of 1724	2196	allparse_logs.exe	allparse_logs2.exe
PID 2196 wrote to memory of 1724	2196	allparse_logs.exe	allparse_logs2.exe
PID 1724 wrote to memory of 1188	1724	allparse_logs2.exe	cmd.exe
PID 1724 wrote to memory of 1188	1724	allparse_logs2.exe	cmd.exe
PID 1188 wrote to memory of 3448	1188	cmd.exe	codec-library.exe
PID 1188 wrote to memory of 3448	1188	cmd.exe	codec-library.exe

C:\Users\Admin\AppData\Local\Temp\AllParse_Log\allparse_logs.exe
"C:\Users\Admin\AppData\Local\Temp\AllParse_Log\allparse_logs.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\onefile_2196_133458811271853719\allparse_logs2.exe
  "C:\Users\Admin\AppData\Local\Temp\AllParse_Log\allparse_logs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "codec-library.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\AllParse_Log\codec-library.exe
      codec-library.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3448

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
84KB

MD5
7f2bba8a38712d00907f6e37f0ce6028

SHA1
e22227fc0fd45afdcf6c5d31a1cebffee22dfc32

SHA256
cd04ebe932b2cb2fd7f01c25412bddd77b476fa47d0aff69a04a27d3bfe4b37b

SHA512
ca46ceaf1b6683e6d505edbe33b1d36f2940a72fc34f42fa4aa0928f918d836803113bf9a404657ec3a65bc4e40ed13117ad48457a048c82599db37f98b68af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
124KB

MD5
38d9d8ed2b7df64790150a2a523fd3b9

SHA1
a629c8e76136fa5678c758351e2dcff5324f51e7

SHA256
11daef02afe45d9f3987bab5c2b6ef75b2b6f6f79704c45675d532f090f14b8b

SHA512
7a37a98bb9824680e3f0030e0db795f9eab1cc4d2b6605e4f6c37d432b4de0642481dd7b6c6f0e53264f2d940b4800555ab0d84145d7de35f4a65a26ca100fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
159KB

MD5
ad02ea81a127a401f4df84c082f3cce6

SHA1
9c6c851c52f331d17a33936c9aad8dcef2542709

SHA256
4213fbb6936ad3eac1e1ba28f10e15719176bc3a59ff01ddc6828dd7eee52132

SHA512
cdccd9e5fffc2a2836f7677985d63c0a8a90fc91f1d98a0f2355c11141e21ecd564bbbfba87e717ac80f784a68b6f43430476fbd72cec9820c691df6612ffd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_queue.pyd

Filesize
29KB

MD5
f9718fe21174d8428f022aaf60bf92da

SHA1
db7e85eaa7c795792050af43d47518ca7fa7878a

SHA256
95e1c419e08d8ab229b8c64d51fd301cd9d75a659dfc05e75b0317ca0a4f22e3

SHA512
000929c994446f22e4f11a011c21b7401bbe8b3b1a624b80a4eeb818f94190b3db2782b00e477e548814caea5234d4de5a8a766d72365c26654d655ec4546be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
78KB

MD5
0a6c6fd7697e4c3757014fa6bf6dd615

SHA1
f14f79831b8b16a7b31f4c7f698317c023d446f9

SHA256
a611e9b4f4e5fe67e945b771d79cf15c48441ecfa11ce186cec9bf233dc20c0d

SHA512
f5fcfede06f0f81229b946f803b6e292fd0c909191f3c2a82ca317ff7c2e08d1ea98aa2d11ec85edd5449994a2a7c61318a15d47806cd761e25739494f3e18e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\psutil\_psutil_windows.pyd

Filesize
75KB

MD5
5e9fc79283d08421683cb9e08ae5bf15

SHA1
b3021534d2647d90cd6d445772d2e362a04d5ddf

SHA256
d5685e38faccdf97ce6ffe4cf53cbfcf48bb20bf83abe316fba81d1abd093cb6

SHA512
9133011ae8eb0110da9f72a18d26bbc57098a74983af8374d1247b9a336ee32db287ed26f4d010d31a7d64eacdc9cf99a75faab194eff25b04299e5761af1a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pyfiglet\fonts\slant.flf

Filesize
15KB

MD5
ed19a240363675a68b2a313a8eefd3f2

SHA1
395514ab7aa0fd86a5b03366997770f922e912a3

SHA256
776d70bf97e03e5753690bad342eb02f989b12571b018fa87dd3a67c8d16dc42

SHA512
1e9a07e528c6510f6c794d1e38cc9fb7e48d8bff76b878f2046a5ef32d83a5d5b3ea220a0c5932fc730dfda34b777a63be142d9be8a2c8582c88fb2149651403

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\python3.dll

Filesize
58KB

MD5
7a70559558c5e7a94b34c129f76e6759

SHA1
51b49800400fb8de5165c2bafedf20b1a6f92d84

SHA256
ec1e36e65d5bd2f32212f41cd4d0ef22a4ce238cffc216e45b5c4fe272bd3926

SHA512
edbbacf7a2ffc49878b0d5cfc2d06dd5fb6d3b9ee4656e792579f8096164e75579ca1069018405f3a7d5336eeee4b91e9365f8853a57fa6d824e35954c56375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
28KB

MD5
196c4d2f8bdc9e9d2dbcce866050684c

SHA1
1166c85c761d8188c45d9cc7441abfe8a7071132

SHA256
cd31f9f557d57a6909186940eafe483c37de9a7251e604644a747c7ec26b7823

SHA512
cb9a02530721482f0ff912ca65dae94f6930676e2390cb5523f99452174622d7e2e70cafaf46e053f0c3dfc314edc8c2f4fd3bc7ea888be81e83ff40d3a30e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2196_133458811271853719\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2196_133458811271853719\_bz2.pyd

Filesize
84KB

MD5
7f2bba8a38712d00907f6e37f0ce6028

SHA1
e22227fc0fd45afdcf6c5d31a1cebffee22dfc32

SHA256
cd04ebe932b2cb2fd7f01c25412bddd77b476fa47d0aff69a04a27d3bfe4b37b

SHA512
ca46ceaf1b6683e6d505edbe33b1d36f2940a72fc34f42fa4aa0928f918d836803113bf9a404657ec3a65bc4e40ed13117ad48457a048c82599db37f98b68af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2196_133458811271853719\_ctypes.pyd

Filesize
124KB

MD5
38d9d8ed2b7df64790150a2a523fd3b9

SHA1
a629c8e76136fa5678c758351e2dcff5324f51e7

SHA256
11daef02afe45d9f3987bab5c2b6ef75b2b6f6f79704c45675d532f090f14b8b

SHA512
7a37a98bb9824680e3f0030e0db795f9eab1cc4d2b6605e4f6c37d432b4de0642481dd7b6c6f0e53264f2d940b4800555ab0d84145d7de35f4a65a26ca100fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2196_133458811271853719\_lzma.pyd

Filesize
159KB

MD5
ad02ea81a127a401f4df84c082f3cce6

SHA1
9c6c851c52f331d17a33936c9aad8dcef2542709

SHA256
4213fbb6936ad3eac1e1ba28f10e15719176bc3a59ff01ddc6828dd7eee52132

SHA512
cdccd9e5fffc2a2836f7677985d63c0a8a90fc91f1d98a0f2355c11141e21ecd564bbbfba87e717ac80f784a68b6f43430476fbd72cec9820c691df6612ffd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2196_133458811271853719\_queue.pyd

Filesize
29KB

MD5
f9718fe21174d8428f022aaf60bf92da

SHA1
db7e85eaa7c795792050af43d47518ca7fa7878a

SHA256
95e1c419e08d8ab229b8c64d51fd301cd9d75a659dfc05e75b0317ca0a4f22e3

SHA512
000929c994446f22e4f11a011c21b7401bbe8b3b1a624b80a4eeb818f94190b3db2782b00e477e548814caea5234d4de5a8a766d72365c26654d655ec4546be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2196_133458811271853719\_socket.pyd

Filesize
78KB

MD5
0a6c6fd7697e4c3757014fa6bf6dd615

SHA1
f14f79831b8b16a7b31f4c7f698317c023d446f9

SHA256
a611e9b4f4e5fe67e945b771d79cf15c48441ecfa11ce186cec9bf233dc20c0d

SHA512
f5fcfede06f0f81229b946f803b6e292fd0c909191f3c2a82ca317ff7c2e08d1ea98aa2d11ec85edd5449994a2a7c61318a15d47806cd761e25739494f3e18e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2196_133458811271853719\allparse_logs2.exe

Filesize
13.4MB

MD5
2956b169293672a42a4299c4b7a018ce

SHA1
1232a43ed599297b33e7874686a6cd3b936d5b86

SHA256
8adacbe088ef3b85353de89caf0b25f8948484dc853ffc5f3e88f3b4e65e2aa1

SHA512
80b54b8b5c62f10e939265efc49313bc233162d9602f338bfd0a6e328c0bdcf1f99b0d49bca9d438cd9660aec85a34dd779b06cc79f5d175ff33d70f25020822

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2196_133458811271853719\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2196_133458811271853719\psutil\_psutil_windows.pyd

Filesize
75KB

MD5
5e9fc79283d08421683cb9e08ae5bf15

SHA1
b3021534d2647d90cd6d445772d2e362a04d5ddf

SHA256
d5685e38faccdf97ce6ffe4cf53cbfcf48bb20bf83abe316fba81d1abd093cb6

SHA512
9133011ae8eb0110da9f72a18d26bbc57098a74983af8374d1247b9a336ee32db287ed26f4d010d31a7d64eacdc9cf99a75faab194eff25b04299e5761af1a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2196_133458811271853719\python3.dll

Filesize
58KB

MD5
7a70559558c5e7a94b34c129f76e6759

SHA1
51b49800400fb8de5165c2bafedf20b1a6f92d84

SHA256
ec1e36e65d5bd2f32212f41cd4d0ef22a4ce238cffc216e45b5c4fe272bd3926

SHA512
edbbacf7a2ffc49878b0d5cfc2d06dd5fb6d3b9ee4656e792579f8096164e75579ca1069018405f3a7d5336eeee4b91e9365f8853a57fa6d824e35954c56375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2196_133458811271853719\python39.dll

Filesize
4.3MB

MD5
19e6d310c1bd0578d468a888d3ec0e3d

SHA1
32561ad9b89dc9e9a086569780890ad10337e698

SHA256
f4609ec3bbcc74ed9257e3440ec15adf3061f7162a89e4e9a370e1c2273370a1

SHA512
4a8332c22a40a170ea83fc8cfd5b8a0ed0df1d59fd22ebe10088ba0be78cc0e91a537d7085549a4d06204cbe77e83154a812daed885c25aa4b4cb4aca5b9cc85

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2196_133458811271853719\python39.dll

Filesize
4.3MB

MD5
19e6d310c1bd0578d468a888d3ec0e3d

SHA1
32561ad9b89dc9e9a086569780890ad10337e698

SHA256
f4609ec3bbcc74ed9257e3440ec15adf3061f7162a89e4e9a370e1c2273370a1

SHA512
4a8332c22a40a170ea83fc8cfd5b8a0ed0df1d59fd22ebe10088ba0be78cc0e91a537d7085549a4d06204cbe77e83154a812daed885c25aa4b4cb4aca5b9cc85

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2196_133458811271853719\select.pyd

Filesize
28KB

MD5
196c4d2f8bdc9e9d2dbcce866050684c

SHA1
1166c85c761d8188c45d9cc7441abfe8a7071132

SHA256
cd31f9f557d57a6909186940eafe483c37de9a7251e604644a747c7ec26b7823

SHA512
cb9a02530721482f0ff912ca65dae94f6930676e2390cb5523f99452174622d7e2e70cafaf46e053f0c3dfc314edc8c2f4fd3bc7ea888be81e83ff40d3a30e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2196_133458811271853719\vcruntime140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
memory/3448-478-0x0000000000C80000-0x0000000000C9C000-memory.dmp

Filesize
112KB

Download
memory/3448-479-0x00007FF956DF0000-0x00007FF9578B1000-memory.dmp

Filesize
10.8MB

Download
memory/3448-480-0x000000001BC80000-0x000000001BC90000-memory.dmp

Filesize
64KB

Download
memory/3448-481-0x00007FF956DF0000-0x00007FF9578B1000-memory.dmp

Filesize
10.8MB

Download
memory/3448-482-0x000000001BC80000-0x000000001BC90000-memory.dmp

Filesize
64KB

Download
memory/3448-484-0x00007FF956DF0000-0x00007FF9578B1000-memory.dmp

Filesize
10.8MB

Download