Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06-02-2024 13:18
Behavioral task
behavioral1
Sample
Abotihy.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Abotihy.exe
Resource
win10v2004-20231215-en
General
-
Target
Abotihy.exe
-
Size
104KB
-
MD5
a62ed6e2054cf8d2e62c02c83b3f07c7
-
SHA1
af778b353cf5d24172339d084722811c7a088668
-
SHA256
8731e05790767c76250fff12cf1ecbf497889776be13aef569cc71f0aad97039
-
SHA512
9cce378e77dfb58a0740cb07a0f951971a5a52143c1c600181286b7c9d3e0a4aa0f03b1b754d9bdb08847c22d478240ba11236fe089197081867483f45175272
-
SSDEEP
3072:1jDx+/YuqZK9WDIciaK5C0dAoz1+wEKSK0M:5ZueBoz1/EK4
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot5358754228:AAE42HAGW1bzIPxU7iVRC_96iDuHcwSjjVo/sendMessage?chat_id=5556872222
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Abotihy.exepid process 2304 Abotihy.exe 2304 Abotihy.exe 2304 Abotihy.exe 2304 Abotihy.exe 2304 Abotihy.exe 2304 Abotihy.exe 2304 Abotihy.exe 2304 Abotihy.exe 2304 Abotihy.exe 2304 Abotihy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Abotihy.exedescription pid process Token: SeDebugPrivilege 2304 Abotihy.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Abotihy.exedescription pid process target process PID 2304 wrote to memory of 1264 2304 Abotihy.exe WerFault.exe PID 2304 wrote to memory of 1264 2304 Abotihy.exe WerFault.exe PID 2304 wrote to memory of 1264 2304 Abotihy.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Abotihy.exe"C:\Users\Admin\AppData\Local\Temp\Abotihy.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2304 -s 18522⤵PID:1264
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2304-0-0x0000000000DA0000-0x0000000000DC0000-memory.dmpFilesize
128KB
-
memory/2304-2-0x000007FEF5780000-0x000007FEF616C000-memory.dmpFilesize
9.9MB
-
memory/2304-1-0x0000000000240000-0x0000000000246000-memory.dmpFilesize
24KB
-
memory/2304-3-0x000000001AD30000-0x000000001ADB0000-memory.dmpFilesize
512KB
-
memory/2304-4-0x000007FEF5780000-0x000007FEF616C000-memory.dmpFilesize
9.9MB
-
memory/2304-5-0x000000001AD30000-0x000000001ADB0000-memory.dmpFilesize
512KB