Malware Analysis Report

2024-08-06 14:52

Sample ID 240604-bmqcpsgg89
Target Loader.exe
SHA256 1912bab5a7418443b8685aa3917cd2a8c2ad29d07b6a7c2cc658ecc6ee953160
Tags
phemedrone spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1912bab5a7418443b8685aa3917cd2a8c2ad29d07b6a7c2cc658ecc6ee953160

Threat Level: Known bad

The file Loader.exe was found to be: Known bad.

Malicious Activity Summary

phemedrone spyware stealer

Phemedrone family

Phemedrone

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:15

Signatures

Phemedrone family

phemedrone

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:15

Reported

2024-06-04 01:17

Platform

win11-20240508-en

Max time kernel

33s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

Signatures

Phemedrone

stealer phemedrone

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 get.geojs.io udp
US 104.26.1.100:443 get.geojs.io tcp
US 8.8.8.8:53 100.1.26.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/1008-0-0x0000000000640000-0x0000000000664000-memory.dmp

memory/1008-1-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp

memory/1008-2-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/1008-4-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp