phemedrone | d5adb611966a10b056fc53bec138ad1dfd319c9d631eeebfcbdb13f101afc8ff

General

Target

d5adb611966a10b056fc53bec138ad1dfd319c9d631eeebfcbdb13f101afc8ff.exe
Size

5.9MB
MD5

5a9a7eb3ae570ba2827f9b43f0ca8d8d
SHA1

ff206f36fb8117bc112b915e6c523047e3ef0c8a
SHA256

d5adb611966a10b056fc53bec138ad1dfd319c9d631eeebfcbdb13f101afc8ff
SHA512

d66347fb462e01093c4758982b1cddd46f6d3eca8738cca56bb11ac38bf0208073f266376d906b8e071f2d9a12671814bbeb633d9373ea3c82b364ec5d414a26
SSDEEP

12288:s6umEODqMBbbtP7MjII99YeeF5NM6r0N:E6pdXeem4

Score

10^/10

phemedrone spyware stealer

Malware Config

Extracted

Family

phemedrone

C2

https://rakishevkenes.com/wp-load.php

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone

Detect binaries embedding considerable number of MFA browser extension IDs. 3 IoCs

Processes:

resource	yara_rule
C:\ProgramData\ssh\PT3Q9R3SVB.exe	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
behavioral2/memory/4012-14-0x0000000000260000-0x000000000027C000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
behavioral2/memory/4012-18-0x000000001B060000-0x000000001B070000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 3 IoCs

Processes:

resource	yara_rule
C:\ProgramData\ssh\PT3Q9R3SVB.exe	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral2/memory/4012-14-0x0000000000260000-0x000000000027C000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral2/memory/4012-18-0x000000001B060000-0x000000001B070000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs

Processes:

resource	yara_rule
C:\ProgramData\ssh\PT3Q9R3SVB.exe	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/4012-14-0x0000000000260000-0x000000000027C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d5adb611966a10b056fc53bec138ad1dfd319c9d631eeebfcbdb13f101afc8ff.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	d5adb611966a10b056fc53bec138ad1dfd319c9d631eeebfcbdb13f101afc8ff.exe

Executes dropped EXE 1 IoCs

Processes:

PT3Q9R3SVB.exe

pid process

4012 PT3Q9R3SVB.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
8	ip-api.com

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

PT3Q9R3SVB.exe

pid	process
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe
4012	PT3Q9R3SVB.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PT3Q9R3SVB.exe

description pid process

Token: SeDebugPrivilege 4012 PT3Q9R3SVB.exe

description	pid	process
Token: SeDebugPrivilege	4012	PT3Q9R3SVB.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

d5adb611966a10b056fc53bec138ad1dfd319c9d631eeebfcbdb13f101afc8ff.exe

description	pid	process	target process
PID 2964 wrote to memory of 4012	2964	d5adb611966a10b056fc53bec138ad1dfd319c9d631eeebfcbdb13f101afc8ff.exe	PT3Q9R3SVB.exe
PID 2964 wrote to memory of 4012	2964	d5adb611966a10b056fc53bec138ad1dfd319c9d631eeebfcbdb13f101afc8ff.exe	PT3Q9R3SVB.exe

C:\Users\Admin\AppData\Local\Temp\d5adb611966a10b056fc53bec138ad1dfd319c9d631eeebfcbdb13f101afc8ff.exe
"C:\Users\Admin\AppData\Local\Temp\d5adb611966a10b056fc53bec138ad1dfd319c9d631eeebfcbdb13f101afc8ff.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2964

C:\ProgramData\ssh\PT3Q9R3SVB.exe
"C:\ProgramData\ssh\PT3Q9R3SVB.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ssh\PT3Q9R3SVB.exe
Filesize
83KB

MD5
ad38e2925566592aef91e61fc93e9e57

SHA1
ea58b082fd52f43eba22dd2df2b3b9a4b7e2469d

SHA256
3e7f77de98b866575482e332a52c9a6e165a07303c7013f238b0ae8619d9a4ff

SHA512
c8ae34afba8c734b8b3577a94ec3c5405aeba65f2accc21040b21454a27b7e356fc5ea12f1f7019841398e779cb876a284c18e4e602437398b11a62b9d3f5e52

Download Submit
memory/2964-0-0x00000000008A0000-0x0000000000912000-memory.dmp

Filesize
456KB

Download
memory/2964-1-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/2964-2-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/2964-16-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/4012-14-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/4012-17-0x00007FF887DF0000-0x00007FF8888B1000-memory.dmp

Filesize
10.8MB

Download
memory/4012-18-0x000000001B060000-0x000000001B070000-memory.dmp

Filesize
64KB

Download
memory/4012-20-0x00007FF887DF0000-0x00007FF8888B1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads