phemedrone

General

Target

Red rp.rar
Size

47.9MB
Sample

240606-ldq8racd3t
MD5

0fc85541d339b28785b614dffc280d65
SHA1

190f04fe928e9c400529d5300465fb80d2285f5d
SHA256

479e80f23b0799ead92adcd6fd52b03a65d73218d55596688817c431afd3df16
SHA512

653c193351a899d8f892e8b21f6f549dfc0c3c3455e0b58c0ce44337316a330877568cb087cb1b8c33d2528900ff0696c67157b1964c9a280e2369505a4368f7
SSDEEP

786432:c4YUTvsd6NYoyh3VoROg1r5fbTyWLH/Hr5fbTy8mYor5fbTy8mYsr5fbTy8mYRL/:mUTvsENrAloRDj/yWLfN/y8mY8/y8mY4

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://drive.usercontent.google.com/u/0/uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7274515778:AAEx4SxiDLjUG8dht4Cac1HVmxqTSwD_yL4/sendDocument

Targets

- Target
  
  Red rp/Info.txt
- Size
  
  118B
- MD5
  
  d23ef20d600b65222c2923db0e00bca7
- SHA1
  
  b373a929772e7f271f85c94b6ad72accea9b56f2
- SHA256
  
  fde6b8381e7ce1650718f24b070ea21e0140ba385593d36d65261dc2497524dc
- SHA512
  
  e926580d882e2839f8ec2aa40901c979a5d796c958d512f51e4bd2def7d50f38410d4bacefec4570420aa7678fb71468d36a9b13d3c71b0dd73eb8ae208ae019
Score

10^/10

phemedrone xmrig bootkit discovery evasion execution miner persistence spyware stealer upx
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1