Overview

overview

10

Static

static

3

Output.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Output.exe

  • Size

    88KB

  • Sample

    240824-t6kwfazajf

  • MD5

    1d5de6633597e967fa624860a9c11381

  • SHA1

    d5b718eb8dc6dd145c9a55a0a697a94cf071492d

  • SHA256

    55f04f3aab2ae05b415095b2037ed4fce36c931bdbbd49292f3f3f4e886e5143

  • SHA512

    698c2a4428f3768de63e8dc6681d9947386d17827055b1ec446b609a109bc78a6a5239f66aad60b779e67009242e9b117c7c3fe7a7fa9cac9bfb717e1ca7ab29

  • SSDEEP

    1536:YSH26AQ95RO4BJULzUrx5yNcG/Ny32UkdBCa7NKuV9N3Y9zaZd:lv5ROihN5yrNyG/dQa7NKul3Y9mZd

Score
10/10
phemedronexwormcredential_accessexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

rules-views.at.ply.gg:21974

Mutex

Uf6Nl0qMPg6NLqce

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    svchost.exe

aes.plain

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7375773294:AAFZUnpXCxGuVizu2hOj5WMYl9ULnbeqZ6c/sendDocument

Targets

    • Target

      Output.exe

    • Size

      88KB

    • MD5

      1d5de6633597e967fa624860a9c11381

    • SHA1

      d5b718eb8dc6dd145c9a55a0a697a94cf071492d

    • SHA256

      55f04f3aab2ae05b415095b2037ed4fce36c931bdbbd49292f3f3f4e886e5143

    • SHA512

      698c2a4428f3768de63e8dc6681d9947386d17827055b1ec446b609a109bc78a6a5239f66aad60b779e67009242e9b117c7c3fe7a7fa9cac9bfb717e1ca7ab29

    • SSDEEP

      1536:YSH26AQ95RO4BJULzUrx5yNcG/Ny32UkdBCa7NKuV9N3Y9zaZd:lv5ROihN5yrNyG/dQa7NKul3Y9mZd

    Score
    10/10
    phemedronexwormcredential_accessexecutionpersistenceratspywarestealertrojan

    • Detect Xworm Payload

    • Phemedrone

      An information and wallet stealer written in C#.

      stealerphemedrone

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks