phemedrone | 7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2024 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe
Size

5.3MB
MD5

fedee37af6c431a3207fe8d25c882a4e
SHA1

ea7be9251e52d05120599033d73dd959d81c2310
SHA256

7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809
SHA512

1d16785f913752b4621a71889f57059e8b9ac7eabc901effbb3baac3676cc3474ee4a9993d0a193beef745780175f9b1c04e159ef8febe23c25c417fef978e53
SSDEEP

98304:+J1ezhQcSZcOb+sX1Zvbez14Z0FGRABTgtse6vzovkNu:+8hQcERCsXDjYZkJMU

Score

10^/10

phemedrone spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot6699343870:AAGOms3s--pO8LwD1p3vPosnjG5pMMzXG9w/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Executes dropped EXE 2 IoCs

Processes:

ratr.exeratr2.exe

pid process

1188 ratr.exe
4424 ratr2.exe

Loads dropped DLL 4 IoCs

Processes:

7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe

pid	process
2868	7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe
2868	7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe
2868	7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe
2868	7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

ratr.exeratr2.exe

pid	process
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
1188	ratr.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe
4424	ratr2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ratr.exeratr2.exe

description pid process

Token: SeDebugPrivilege 1188 ratr.exe
Token: SeDebugPrivilege 4424 ratr2.exe

description	pid	process
Token: SeDebugPrivilege	1188	ratr.exe
Token: SeDebugPrivilege	4424	ratr2.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.execmd.execmd.exe

description	pid	process	target process
PID 3944 wrote to memory of 2868	3944	7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe	7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe
PID 3944 wrote to memory of 2868	3944	7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe	7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe
PID 2868 wrote to memory of 652	2868	7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe	cmd.exe
PID 2868 wrote to memory of 652	2868	7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe	cmd.exe
PID 652 wrote to memory of 1188	652	cmd.exe	ratr.exe
PID 652 wrote to memory of 1188	652	cmd.exe	ratr.exe
PID 2868 wrote to memory of 4020	2868	7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe	cmd.exe
PID 2868 wrote to memory of 4020	2868	7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe	cmd.exe
PID 4020 wrote to memory of 4424	4020	cmd.exe	ratr2.exe
PID 4020 wrote to memory of 4424	4020	cmd.exe	ratr2.exe

C:\Users\Admin\AppData\Local\Temp\7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe
"C:\Users\Admin\AppData\Local\Temp\7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Users\Admin\AppData\Local\Temp\7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe
  "C:\Users\Admin\AppData\Local\Temp\7966834c1d2820f4662d2cf896f92b9e219d48f9a96963b5b3efa8be1a72c809.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\\ratr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:652
  - - C:\ratr.exe
      C:\\ratr.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\\ratr2.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\ratr2.exe
      C:\\ratr2.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4424

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4968

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI39442\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\_bz2.pyd

Filesize
84KB

MD5
e91b4f8e1592da26bacaceb542a220a8

SHA1
5459d4c2147fa6db75211c3ec6166b869738bd38

SHA256
20895fa331712701ebfdbb9ab87e394309e910f1d782929fd65b59ed76d9c90f

SHA512
cb797fa758c65358e5b0fef739181f6b39e0629758a6f8d5c4bd7dc6422001769a19df0c746724fb2567a58708b18bbd098327bfbdf3378426049b113eb848e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\_decimal.pyd

Filesize
264KB

MD5
65287fd87a64bc756867a1afddec9e29

SHA1
cda1db353f81df7a4a818add8f87bca9ac840455

SHA256
df19c2e6ec3145166fa8d206c11db78bc1979a027105c4f21d40410b5082ba34

SHA512
3e3f19cf965b260ffc68e45d5101234e8a957411c076a0d487d307dcfa714a9801cb501224fe7621937aebdf90275f655c8a70dd6675bcfb5374404fda53236f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\_hashlib.pyd

Filesize
64KB

MD5
7c69cb3cb3182a97e3e9a30d2241ebed

SHA1
1b8754ff57a14c32bcadc330d4880382c7fffc93

SHA256
12a84bacb071b1948a9f751ac8d0653ba71a8f6b217a69fe062608e532065c20

SHA512
96dbabbc6b98d473cbe06dcd296f6c6004c485e57ac5ba10560a377393875192b22df8a7103fe4a22795b8d81b8b0ae14ce7646262f87cb609b9e2590a93169e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\_lzma.pyd

Filesize
159KB

MD5
493c33ddf375b394b648c4283b326481

SHA1
59c87ee582ba550f064429cb26ad79622c594f08

SHA256
6384ded31408788d35a89dc3f7705ea2928f6bbdeb8b627f0d1b2d7b1ea13e16

SHA512
a4a83f04c7fc321796ce6a932d572dca1ad6ecefd31002320aeaa2453701ed49ef9f0d9ba91c969737565a6512b94fbb0311aee53d355345a03e98f43e6f98b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\_socket.pyd

Filesize
78KB

MD5
fd1cfe0f0023c5780247f11d8d2802c9

SHA1
5b29a3b4c6edb6fa176077e1f1432e3b0178f2bc

SHA256
258a5f0b4d362b2fed80b24eeabcb3cdd1602e32ff79d87225da6d15106b17a6

SHA512
b304a2e56829a557ec401c6fdda78d6d05b7495a610c1ed793d6b25fc5af891cb2a1581addb27ab5e2a6cb0be24d9678f67b97828015161bc875df9b7b5055ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\base_library.zip

Filesize
826KB

MD5
2abe470164e060916c6842da1263e5ad

SHA1
197163bfb26ce54420fa6eba03cf0fa0a5622934

SHA256
151a4c8ea261130b5ae94653e5470ac6fe4663de269c187b2b38d6fccadc1baa

SHA512
01e2c58b24f7d3d7b31df97c6dbe8aee0c0f61f457c78d62830fa954c17dffb74b4e5389ef389926b5ba78f96deb08ad4cd61c9ecea256bf35e0a99cd2366d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\libcrypto-1_1.dll

Filesize
3.2MB

MD5
89511df61678befa2f62f5025c8c8448

SHA1
df3961f833b4964f70fcf1c002d9fd7309f53ef8

SHA256
296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf

SHA512
9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\main.zip

Filesize
208KB

MD5
c4fb73e67344c88e206706eb922f5641

SHA1
f1517c2248403f9be5915f98db4388432143c8b3

SHA256
d5115446f3fd97f01ccf0fbf4b52aee5c6f03859b996ac7615d518170e809523

SHA512
9a796b4a08ff48bde8a97414b503969b8a7290ff3d55ff021dd6aabdec50014001513dc73b897e0db02e8ddc8931cafe526de036cb1404d2755c2a266521b5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\python39.dll

Filesize
4.3MB

MD5
5cd203d356a77646856341a0c9135fc6

SHA1
a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

SHA256
a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

SHA512
390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\select.pyd

Filesize
28KB

MD5
0e3cf5d792a3f543be8bbc186b97a27a

SHA1
50f4c70fce31504c6b746a2c8d9754a16ebc8d5e

SHA256
c7ffae6dc927cf10ac5da08614912bb3ad8fc52aa0ef9bc376d831e72dd74460

SHA512
224b42e05b4dbdf7275ee7c5d3eb190024fc55e22e38bd189c1685efee2a3dd527c6dfcb2feeec525b8d6dc35aded1eac2423ed62bb2599bb6a9ea34e842c340

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\unicodedata.pyd

Filesize
1.1MB

MD5
7af51031368619638cca688a7275db14

SHA1
64e2cc5ac5afe8a65af690047dc03858157e964c

SHA256
7f02a99a23cc3ff63ecb10ba6006e2da7bf685530bad43882ebf90d042b9eeb6

SHA512
fbde24501288ff9b06fc96faff5e7a1849765df239e816774c04a4a6ef54a0c641adf4325bfb116952082d3234baef12288174ad8c18b62407109f29aa5ab326

Download Submit
C:\ratr.exe

Filesize
104KB

MD5
39ebf1fa3dc3ba33a2a12e83256136e6

SHA1
32115654f5e8f2f51afd99c2b0c6d777408a1204

SHA256
f08a8a27a2c2d9b8afabcfb5665a5ad196a93313676ed1e7fb566e6380fd50fa

SHA512
12b8c855bbe44fadcb6c9dc380a4f8f1095e070b759b8cc0e37e17993aa7f0da456c5cdf2c487980d62aa8ad2e54c7488aad2f1e569f5143e34e48091e61c6e7

Download Submit
memory/1188-34-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

Filesize
10.8MB

Download
memory/1188-33-0x0000000000EA0000-0x0000000000EC0000-memory.dmp

Filesize
128KB

Download
memory/1188-35-0x000000001BD40000-0x000000001BD50000-memory.dmp

Filesize
64KB

Download
memory/1188-36-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

Filesize
10.8MB

Download
memory/1188-38-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

Filesize
10.8MB

Download
memory/4424-42-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

Filesize
10.8MB

Download
memory/4424-43-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/4424-45-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

Filesize
10.8MB

Download