phemedrone | c8431f6620fb1f7e2404f33562347d83ad660106659c3143d00f3b699dee454e

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XBinderOutput.exe
Size

568KB
MD5

43ebcf641eac11f8012145d44733cc0a
SHA1

e1776ddd0a23987ca149e74cccd8e9372b7f27c5
SHA256

c8431f6620fb1f7e2404f33562347d83ad660106659c3143d00f3b699dee454e
SHA512

2379be5b09810007668b11fe58d3d1d575c1f2acd9962803147890a3d32ade8a982584e42d18c08b320043136991014f2f6ed09e8bfb238f555694d859f42aa2
SSDEEP

12288:YP5B0nVtH35fFWAZdfJxLswLlXfUX05oEOj2X0GuI:YP5B0nVnZZJxLxL+SoEl

Score

10^/10

phemedrone xworm credential_access execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

rules-views.at.ply.gg:21974

Mutex

Uf6Nl0qMPg6NLqce

Attributes

Install_directory
%LocalAppData%
install_file
svchost.exe

aes.plain

Extracted

Family

phemedrone

https://api.telegram.org/bot7375773294:AAFZUnpXCxGuVizu2hOj5WMYl9ULnbeqZ6c/sendDocument

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000190d2-19.dat	family_xworm
behavioral1/memory/2864-21-0x00000000001D0000-0x00000000001E0000-memory.dmp	family_xworm

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
592	powershell.exe
1932	powershell.exe
1064	powershell.exe
2208	powershell.exe
2928	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2388	Output.exe
1704	launcher.exe
2864	svchost.exe
2772	Gazofom.exe

Loads dropped DLL 2 IoCs

pid	Process
2516	XBinderOutput.exe
1956	Process not Found

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	Output.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2028	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2928	powershell.exe
592	powershell.exe
1932	powershell.exe
1064	powershell.exe
2208	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	svchost.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2772	Gazofom.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2864	svchost.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2388	2516	XBinderOutput.exe	30
PID 2516 wrote to memory of 2388	2516	XBinderOutput.exe	30
PID 2516 wrote to memory of 2388	2516	XBinderOutput.exe	30
PID 2516 wrote to memory of 1704	2516	XBinderOutput.exe	31
PID 2516 wrote to memory of 1704	2516	XBinderOutput.exe	31
PID 2516 wrote to memory of 1704	2516	XBinderOutput.exe	31
PID 1704 wrote to memory of 2824	1704	launcher.exe	33
PID 1704 wrote to memory of 2824	1704	launcher.exe	33
PID 1704 wrote to memory of 2824	1704	launcher.exe	33
PID 2388 wrote to memory of 2864	2388	Output.exe	34
PID 2388 wrote to memory of 2864	2388	Output.exe	34
PID 2388 wrote to memory of 2864	2388	Output.exe	34
PID 2388 wrote to memory of 2928	2388	Output.exe	35
PID 2388 wrote to memory of 2928	2388	Output.exe	35
PID 2388 wrote to memory of 2928	2388	Output.exe	35
PID 2388 wrote to memory of 2772	2388	Output.exe	37
PID 2388 wrote to memory of 2772	2388	Output.exe	37
PID 2388 wrote to memory of 2772	2388	Output.exe	37
PID 2864 wrote to memory of 592	2864	svchost.exe	39
PID 2864 wrote to memory of 592	2864	svchost.exe	39
PID 2864 wrote to memory of 592	2864	svchost.exe	39
PID 2772 wrote to memory of 1728	2772	Gazofom.exe	41
PID 2772 wrote to memory of 1728	2772	Gazofom.exe	41
PID 2772 wrote to memory of 1728	2772	Gazofom.exe	41
PID 2864 wrote to memory of 1932	2864	svchost.exe	42
PID 2864 wrote to memory of 1932	2864	svchost.exe	42
PID 2864 wrote to memory of 1932	2864	svchost.exe	42
PID 2864 wrote to memory of 1064	2864	svchost.exe	44
PID 2864 wrote to memory of 1064	2864	svchost.exe	44
PID 2864 wrote to memory of 1064	2864	svchost.exe	44
PID 2864 wrote to memory of 2208	2864	svchost.exe	46
PID 2864 wrote to memory of 2208	2864	svchost.exe	46
PID 2864 wrote to memory of 2208	2864	svchost.exe	46
PID 2864 wrote to memory of 1464	2864	svchost.exe	49
PID 2864 wrote to memory of 1464	2864	svchost.exe	49
PID 2864 wrote to memory of 1464	2864	svchost.exe	49
PID 1464 wrote to memory of 2028	1464	cmd.exe	51
PID 1464 wrote to memory of 2028	1464	cmd.exe	51
PID 1464 wrote to memory of 2028	1464	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\Output.exe
  "C:\Users\Admin\AppData\Local\Temp\Output.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2208
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE14.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Gazofom.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Users\Admin\AppData\Local\Temp\Gazofom.exe
    "C:\Users\Admin\AppData\Local\Temp\Gazofom.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2772 -s 1596
      4⤵
      PID:1728
- C:\Users\Admin\AppData\Local\Temp\launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gazofom.exe

Filesize
121KB

MD5
a577b895c0b1235c56cc7c8ab07c7ed9

SHA1
fa97fd097968e7465ca7dbad87c145b8a05f0ec5

SHA256
681fe60dee1b8a092214eb47364c8885d8797915b95a45341056eae88b74d03f

SHA512
cfa2af322eee9b840b06d3049faff1b86a4280dc6ce287a8fd675af4beb69be3e0d1d76d7b794632f10f305ffaeebf523674f4cf0bb9a96b03639f6a91b95300

Download Submit
C:\Users\Admin\AppData\Local\Temp\Output.exe

Filesize
88KB

MD5
1d5de6633597e967fa624860a9c11381

SHA1
d5b718eb8dc6dd145c9a55a0a697a94cf071492d

SHA256
55f04f3aab2ae05b415095b2037ed4fce36c931bdbbd49292f3f3f4e886e5143

SHA512
698c2a4428f3768de63e8dc6681d9947386d17827055b1ec446b609a109bc78a6a5239f66aad60b779e67009242e9b117c7c3fe7a7fa9cac9bfb717e1ca7ab29

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
41KB

MD5
0048340fff78be30551177578c67992c

SHA1
383f3b2aaa956cdc0c9e234206bb826b48c0f2e8

SHA256
485b7bf5819e548ad07e9911f2874f40fba29c799bc5f1d71fa3f4d7546f7a79

SHA512
14180da6327c37cf434918b95dc12bcf5a1865eb16df58b665f85becbefa4ea94a5c49f631ebbaeb394b789d1310f3ee3b871a93aef13cf6d68adbfd7ce874dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE14.tmp.bat

Filesize
158B

MD5
378610b77c2b28d35444f4167916f76e

SHA1
8d3e7c5941dfed234524e72f58e054a268314ee6

SHA256
9c0ecb6de04e24613efb7340fd3763b7296ba976677b20434520864fc9fc70d5

SHA512
bdd9e7309ed4d6b86bceba20429803a4af7ff437f96b5f6bc1b0d348f87788f95d7f3eb69d1cbe0e3714d4414962f1ae109c09e9701fc4f3a15e4b487be67d5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ce98b48ea1ec0beb740fa995a75ba2c4

SHA1
941073faa696b0ac0d4b3bff1482ebeb4ca7cbba

SHA256
deb204142c2a2106af501b72e5d3385707be463507a18be2efafdd94290f4f86

SHA512
579788caa69e5abe3a459d9d79c3c1209baa35f2d30b75d61346a30080a3060f4e8230c539bfa0c58a28536bbad8c1c9cc502cf3edf5ca017a56916ccbd7c93b

Download Submit
\Users\Admin\AppData\Local\Temp\launcher.exe

Filesize
554KB

MD5
286b036bd6c0997b62a62814557682f2

SHA1
e1668d95aafe78ae05a785875295ebc01d7e9b8d

SHA256
3957d721c4b3b0b187e938ee685aa978ca30d657217497ed8e511ebef0d23371

SHA512
4b18ebffdd5775e933a6e354fae565529c5943b686d9b91a310b4cb3328a3aab39ff9579d169c258c14a42c4fc1293e7773e6d817e69d72481a542462f51182b

Download Submit
memory/592-40-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/592-41-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/1932-47-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/2388-15-0x000007FEF60E0000-0x000007FEF6ACC000-memory.dmp

Filesize
9.9MB

Download
memory/2388-12-0x0000000000A00000-0x0000000000A1C000-memory.dmp

Filesize
112KB

Download
memory/2388-34-0x000007FEF60E0000-0x000007FEF6ACC000-memory.dmp

Filesize
9.9MB

Download
memory/2516-14-0x000007FEF60E0000-0x000007FEF6ACC000-memory.dmp

Filesize
9.9MB

Download
memory/2516-0-0x000007FEF60E3000-0x000007FEF60E4000-memory.dmp

Filesize
4KB

Download
memory/2516-1-0x0000000000F40000-0x0000000000FD4000-memory.dmp

Filesize
592KB

Download
memory/2772-33-0x0000000000FC0000-0x0000000000FE4000-memory.dmp

Filesize
144KB

Download
memory/2864-21-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/2928-27-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2928-26-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download