phemedrone | 2536fc6f1a41811f182aa3cd922e880835468ef10ef8bd50cc6a1c180c080696 | Triage

Submit
Reports

Overview

overview

Static

static

3

2536fc6f1a...96.exe

windows7-x64

2536fc6f1a...96.exe

windows10-2004-x64

Sharing

General

Target

2536fc6f1a41811f182aa3cd922e880835468ef10ef8bd50cc6a1c180c080696.exe
Size

4.1MB
Sample

240409-bh65nada61
MD5

66d470662b00625bdd142c6dbc43888a
SHA1

b26f70d765d664c9daf307bc89767e6ab8aa41d4
SHA256

2536fc6f1a41811f182aa3cd922e880835468ef10ef8bd50cc6a1c180c080696
SHA512

1c59784050f00b84693bbd9985761c605b20e38753da394eaf20b12a296e8a13a416b0949cd4d1de3f80859277b5bf15c260297ce93e42fd188764c9db966013
SSDEEP

49152:TmLt5d3214AmqYoh8yBUtYTL0VhgFhFO47t+l06ungLU:QfTFNgLsA7

Score

10^/10

phemedrone stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

2536fc6f1a41811f182aa3cd922e880835468ef10ef8bd50cc6a1c180c080696.exe

Resource

win7-20240220-en

phemedrone stealer

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

2536fc6f1a41811f182aa3cd922e880835468ef10ef8bd50cc6a1c180c080696.exe

Resource

win10v2004-20240226-en

phemedrone stealer

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

phemedrone

C2

10.5.0.2

Targets

- Target
  
  2536fc6f1a41811f182aa3cd922e880835468ef10ef8bd50cc6a1c180c080696.exe
- Size
  
  4.1MB
- MD5
  
  66d470662b00625bdd142c6dbc43888a
- SHA1
  
  b26f70d765d664c9daf307bc89767e6ab8aa41d4
- SHA256
  
  2536fc6f1a41811f182aa3cd922e880835468ef10ef8bd50cc6a1c180c080696
- SHA512
  
  1c59784050f00b84693bbd9985761c605b20e38753da394eaf20b12a296e8a13a416b0949cd4d1de3f80859277b5bf15c260297ce93e42fd188764c9db966013
- SSDEEP
  
  49152:TmLt5d3214AmqYoh8yBUtYTL0VhgFhFO47t+l06ungLU:QfTFNgLsA7
Score

10^/10

phemedrone stealer
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- Detect binaries embedding considerable number of MFA browser extension IDs.
- Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

phemedronestealer

behavioral2

phemedronestealer

© 2018-2024

Terms | Privacy