phemedrone | hxxps://mega[.]nz/file/IH8QWYTL#BcI_WKvxxVeptdcphlAkZYijEWqgdgSVInTUCH0tfkU | Triage

Submit
Reports

Overview

overview

Static

static

1

URLScan

urlscan

https://mega.nz/file...

windows10-2004-x64

Sharing

General

Target

https://mega.nz/file/IH8QWYTL#BcI_WKvxxVeptdcphlAkZYijEWqgdgSVInTUCH0tfkU
Sample

240529-n1nr9aeb33

Score

10^/10

phemedrone xmrig discovery evasion execution miner persistence spyware stealer upx

Static task

static1

URLScan task

urlscan1

Behavioral task

behavioral1

Sample

https://mega.nz/file/IH8QWYTL#BcI_WKvxxVeptdcphlAkZYijEWqgdgSVInTUCH0tfkU

Resource

win10v2004-20240508-en

phemedrone xmrig discovery evasion execution miner persistence spyware stealer upx

windows10-2004-x64

29 signatures

600 seconds

Malware Config

Targets

- Target
  
  https://mega.nz/file/IH8QWYTL#BcI_WKvxxVeptdcphlAkZYijEWqgdgSVInTUCH0tfkU
Score

10^/10

phemedrone xmrig discovery evasion execution miner persistence spyware stealer upx
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Impair Defenses

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Service Stop

Resource Development

Reconnaissance

Tasks

static1

urlscan1

behavioral1

phemedronexmrigdiscoveryevasionexecutionminerpersistencespywarestealerupx

© 2018-2024

Terms | Privacy