phemedrone | c6e07d0fcd8eeb4a773ab3e70d4a6b01cb82102fa5f8f7488ebcf59d56e7a65b

Analysis

max time kernel
190s
max time network
297s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
25-07-2024 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xevupym.exe
Size

95KB
MD5

9e1c25aa4eb36a1657af47408c207e99
SHA1

fb820ddc49ffe6c2e685a02134b9df828c8bbf53
SHA256

c6e07d0fcd8eeb4a773ab3e70d4a6b01cb82102fa5f8f7488ebcf59d56e7a65b
SHA512

b2137d0f3cfa288c317fc1a6e912f64e7c115a86ac9a666a1c565f62902f59338bee38dace8c0a9f1758b390f7af69dfbf92827156b50f04e7ad8909d482eb83
SSDEEP

1536:iEjPTgYjn9dcwqjhhJr7bNTANOVMO557KIOzsBuBjqoZ9EJSDgICOAfefChpyk:iyTgYjn9dcwqjceB557xOw/m9GSsICAi

Score

10^/10

phemedrone credential_access spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7486088921:AAFsIyc8IlSP_oRKI-pT-_y6GEUTpF4NVC4/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

Xevupym.exe

pid	process
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe
2148	Xevupym.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Xevupym.exe

description pid process

Token: SeDebugPrivilege 2148 Xevupym.exe

description	pid	process
Token: SeDebugPrivilege	2148	Xevupym.exe

C:\Users\Admin\AppData\Local\Temp\Xevupym.exe
"C:\Users\Admin\AppData\Local\Temp\Xevupym.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2148-0-0x00007FFCA16B3000-0x00007FFCA16B4000-memory.dmp

Filesize
4KB

Download
memory/2148-1-0x00000000009F0000-0x0000000000A0E000-memory.dmp

Filesize
120KB

Download
memory/2148-2-0x00007FFCA16B0000-0x00007FFCA209C000-memory.dmp

Filesize
9.9MB

Download
memory/2148-4-0x00007FFCA16B0000-0x00007FFCA209C000-memory.dmp

Filesize
9.9MB

Download