phemedrone

Sharing

Copy URL

Twitter E-mail

General

Target

TrixXPloit.rar
Size

2.2MB
Sample

240224-lsla2sha3y
MD5

1d520621071c6533e7e2b599eedddead
SHA1

bb95da8d05c24bedc2c1fa2e4a50fa8ce522b907
SHA256

73b609e62a885cb34e16ae24652643374938b63fb909ff520ef3abab1acef8c6
SHA512

8a3790af510e2bed0a91fd96009d537cee763f69bf856a785f5f3f4d6ff85435c7b6358ca5696612a06fa7742d5511df7440404f7b13ec387d27fed87ac28381
SSDEEP

49152:2lE/1E8lo9tie8iGRna+4QWfaoforJPGD3insbFzo81M9GePPke:6s17OCPns58UMYe3d

Score

10^/10

Malware Config

Targets

- Target
  
  Launch_this(Not_exe file).bat
- Size
  
  39B
- MD5
  
  5a2e0926fa37baca58359bee58abe0f7
- SHA1
  
  f0a00abfd62e13c3db00a727d27a909a89fd6380
- SHA256
  
  9690649d6e693e18175ea4a29fb5860c9c17afcab518ad1e28b3365dc5fbe241
- SHA512
  
  1d200f5d5edb872157c4e4e1ed574f4a13a58631f09c0dd085f702b460a0e541b52ab361d79a1711197a4b5ed5df70032340d84f0d969ee9f8d79cd09b1ffff5
Score

10^/10

phemedrone xmrig evasion miner persistence stealer upx
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Drops file in Drivers directory
- Stops running service(s)
  evasion
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  License.exe
- Size
  
  223KB
- MD5
  
  c4a30082317aa701d555c0cb1a3345a8
- SHA1
  
  cd36010d6bb2c282eae20edc14b25c61bb70e28d
- SHA256
  
  22b3ba3c3572cab0bd553ac397e311e85bf64ac3aa1c7f315b3a5fe19d3cd3de
- SHA512
  
  002a050ed15c05d82cec7da4d889e25b4ed9f17355993709443f8af9ffd0a00bf2a034f2dd0c247a001ef7f1e91bee08e291f98768dcb6a89fe666562815524b
- SSDEEP
  
  6144:pJfzvwSFMUOCsCnOIksBNQG2Nk8NeI/qt7:LfjwSFsCsC/B8pNSl
Score

10^/10

phemedrone spyware stealer
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3 behavioral4
- Target
  
  TrixXPloit.exe
- Size
  
  2.7MB
- MD5
  
  115cd2af99e0164e38a30e31f4868f22
- SHA1
  
  3bb156889b2c85eef03f601c53c9e3f639b776a9
- SHA256
  
  c880c4b1702d093d6e9bbeb772da0459da2387db9b7b13e95620996e5773db83
- SHA512
  
  9a609f90eeda49480873e4fab59b6edeaa0ee9c82569ee03d7cb69d968058201cdcaf490418b549b1d16332ed4db0a26fcd61a99c3296fbb3de4c76b10686151
- SSDEEP
  
  49152:QX6ms1+CBy/+PK+ShRDw+I/SfZlNKfaBT0YA3jgpXSHXRVlCmb5BW:pmssgrPKJfF3wns6XRV8mbH
Score

10^/10

xmrig evasion miner persistence upx
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Drops file in Drivers directory
- Stops running service(s)
  evasion
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  autoexec.lnk
- Size
  
  1KB
- MD5
  
  0e66f35c879baed7836f38677e386185
- SHA1
  
  0d67ea207b644d198cc5b864bf4d5329cfeb0335
- SHA256
  
  174a7720d2da06cdfcf29487d5659f55df46638ea28915f2ad69a44e21cb80f8
- SHA512
  
  2df4050e9e0e0d659034482c35b420ed78f2b785f01275a6de1d6bc27829ecbb93db295823e00b3a6369fec095e50ff87535583aa3048a09008e53364df4569b
Score

3^/10
behavioral7 behavioral8
- Target
  
  workspace.lnk
- Size
  
  1KB
- MD5
  
  2d616081fa0909450e50b608c97dee30
- SHA1
  
  5ac9025a81f8a7c506dd100b7ae43d7b534ca28b
- SHA256
  
  5da88cf568b8124fd4708be9c6e436e1f8da9a394d40d075be55a91bb2a7f8b1
- SHA512
  
  15cd58a26e3c9d2b97ffd074d2ff2a8948e2f003579a5032f1bb7aafe1501bcef8b9c126f29d1f9c4171ab9ff89030900980c6ad99f9f45d49f0c98bb66a6c22
Score

3^/10
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Tasks

Sharing

General

Malware Config

Targets

xmrig

XMRig Miner payload

Creates new service(s)

Drops file in Drivers directory

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Phemedrone

Reads user/profile data of web browsers

Looks up external IP address via web service

xmrig

XMRig Miner payload

Creates new service(s)

Drops file in Drivers directory

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10