phemedrone | c8431f6620fb1f7e2404f33562347d83ad660106659c3143d00f3b699dee454e

Analysis

max time kernel
135s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XBinderOutput.exe
Size

568KB
MD5

43ebcf641eac11f8012145d44733cc0a
SHA1

e1776ddd0a23987ca149e74cccd8e9372b7f27c5
SHA256

c8431f6620fb1f7e2404f33562347d83ad660106659c3143d00f3b699dee454e
SHA512

2379be5b09810007668b11fe58d3d1d575c1f2acd9962803147890a3d32ade8a982584e42d18c08b320043136991014f2f6ed09e8bfb238f555694d859f42aa2
SSDEEP

12288:YP5B0nVtH35fFWAZdfJxLswLlXfUX05oEOj2X0GuI:YP5B0nVnZZJxLxL+SoEl

Score

10^/10

phemedrone xworm credential_access execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

rules-views.at.ply.gg:21974

Mutex

Uf6Nl0qMPg6NLqce

Attributes

Install_directory
%LocalAppData%
install_file
svchost.exe

aes.plain

Extracted

Family

phemedrone

https://api.telegram.org/bot7375773294:AAFZUnpXCxGuVizu2hOj5WMYl9ULnbeqZ6c/sendDocument

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000233df-31.dat	family_xworm
behavioral2/memory/4012-38-0x0000000000520000-0x0000000000530000-memory.dmp	family_xworm

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1972	powershell.exe
376	powershell.exe
1200	powershell.exe
3656	powershell.exe
3448	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	XBinderOutput.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Output.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3648	Output.exe
1344	launcher.exe
4012	svchost.exe
2096	Gazofom.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	Output.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2020	timeout.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
376	powershell.exe
376	powershell.exe
1200	powershell.exe
1200	powershell.exe
1200	powershell.exe
3656	powershell.exe
3656	powershell.exe
3656	powershell.exe
3448	powershell.exe
3448	powershell.exe
3448	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4012	svchost.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	2096	Gazofom.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	4012	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 3648	3352	XBinderOutput.exe	89
PID 3352 wrote to memory of 3648	3352	XBinderOutput.exe	89
PID 3352 wrote to memory of 1344	3352	XBinderOutput.exe	90
PID 3352 wrote to memory of 1344	3352	XBinderOutput.exe	90
PID 1344 wrote to memory of 1552	1344	launcher.exe	93
PID 1344 wrote to memory of 1552	1344	launcher.exe	93
PID 3648 wrote to memory of 4012	3648	Output.exe	95
PID 3648 wrote to memory of 4012	3648	Output.exe	95
PID 3648 wrote to memory of 376	3648	Output.exe	96
PID 3648 wrote to memory of 376	3648	Output.exe	96
PID 3648 wrote to memory of 2096	3648	Output.exe	98
PID 3648 wrote to memory of 2096	3648	Output.exe	98
PID 4012 wrote to memory of 1200	4012	svchost.exe	100
PID 4012 wrote to memory of 1200	4012	svchost.exe	100
PID 4012 wrote to memory of 3656	4012	svchost.exe	104
PID 4012 wrote to memory of 3656	4012	svchost.exe	104
PID 4012 wrote to memory of 3448	4012	svchost.exe	106
PID 4012 wrote to memory of 3448	4012	svchost.exe	106
PID 4012 wrote to memory of 1972	4012	svchost.exe	108
PID 4012 wrote to memory of 1972	4012	svchost.exe	108
PID 4012 wrote to memory of 3508	4012	svchost.exe	110
PID 4012 wrote to memory of 3508	4012	svchost.exe	110
PID 3508 wrote to memory of 2020	3508	cmd.exe	112
PID 3508 wrote to memory of 2020	3508	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Users\Admin\AppData\Local\Temp\Output.exe
  "C:\Users\Admin\AppData\Local\Temp\Output.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFDC9.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3508
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Gazofom.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:376
- - C:\Users\Admin\AppData\Local\Temp\Gazofom.exe
    "C:\Users\Admin\AppData\Local\Temp\Gazofom.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2096
- C:\Users\Admin\AppData\Local\Temp\launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d14ccefeb263594e60b1765e131f7a3

SHA1
4a9ebdc0dff58645406c40b7b140e1b174756721

SHA256
57cd435c8b2bf10a2c77698301789c032e1b6b623ff1420c72e8bca0b10f1e5c

SHA512
2013a26123f72a4106524fd9d7389ac4654f97033d22707efc084fb2a3ad01c298eb64f01bb64861ab603615022dbe7cfc97475346edb16b3ba72e905127f101

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gazofom.exe

Filesize
121KB

MD5
a577b895c0b1235c56cc7c8ab07c7ed9

SHA1
fa97fd097968e7465ca7dbad87c145b8a05f0ec5

SHA256
681fe60dee1b8a092214eb47364c8885d8797915b95a45341056eae88b74d03f

SHA512
cfa2af322eee9b840b06d3049faff1b86a4280dc6ce287a8fd675af4beb69be3e0d1d76d7b794632f10f305ffaeebf523674f4cf0bb9a96b03639f6a91b95300

Download Submit
C:\Users\Admin\AppData\Local\Temp\Output.exe

Filesize
88KB

MD5
1d5de6633597e967fa624860a9c11381

SHA1
d5b718eb8dc6dd145c9a55a0a697a94cf071492d

SHA256
55f04f3aab2ae05b415095b2037ed4fce36c931bdbbd49292f3f3f4e886e5143

SHA512
698c2a4428f3768de63e8dc6681d9947386d17827055b1ec446b609a109bc78a6a5239f66aad60b779e67009242e9b117c7c3fe7a7fa9cac9bfb717e1ca7ab29

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vvsunlhb.y2s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\launcher.exe

Filesize
554KB

MD5
286b036bd6c0997b62a62814557682f2

SHA1
e1668d95aafe78ae05a785875295ebc01d7e9b8d

SHA256
3957d721c4b3b0b187e938ee685aa978ca30d657217497ed8e511ebef0d23371

SHA512
4b18ebffdd5775e933a6e354fae565529c5943b686d9b91a310b4cb3328a3aab39ff9579d169c258c14a42c4fc1293e7773e6d817e69d72481a542462f51182b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
41KB

MD5
0048340fff78be30551177578c67992c

SHA1
383f3b2aaa956cdc0c9e234206bb826b48c0f2e8

SHA256
485b7bf5819e548ad07e9911f2874f40fba29c799bc5f1d71fa3f4d7546f7a79

SHA512
14180da6327c37cf434918b95dc12bcf5a1865eb16df58b665f85becbefa4ea94a5c49f631ebbaeb394b789d1310f3ee3b871a93aef13cf6d68adbfd7ce874dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFDC9.tmp.bat

Filesize
159B

MD5
43790ca73c8ddc5d85e177f2ec85e48a

SHA1
019a012586a70786a9abecbf0358a6cd0d4dbecc

SHA256
ff7afbde33712c226b260946d10b1fc3a945bba508fea6808ceffcc5dc329520

SHA512
969d0698c9c79a9773ef2e70bf0dac58ebba0dd1b2574410416df89ae0d10fc6af302d38402cc305e17f0c00646f8e73db89d9f174c3e3fc5fb058493698709a

Download Submit
memory/376-39-0x00000145AC290000-0x00000145AC2B2000-memory.dmp

Filesize
136KB

Download
memory/2096-63-0x0000000000780000-0x00000000007A4000-memory.dmp

Filesize
144KB

Download
memory/3352-24-0x00007FFE65090000-0x00007FFE65B51000-memory.dmp

Filesize
10.8MB

Download
memory/3352-10-0x00007FFE65090000-0x00007FFE65B51000-memory.dmp

Filesize
10.8MB

Download
memory/3352-0-0x00007FFE65093000-0x00007FFE65095000-memory.dmp

Filesize
8KB

Download
memory/3352-1-0x0000000000480000-0x0000000000514000-memory.dmp

Filesize
592KB

Download
memory/3648-64-0x00007FFE65090000-0x00007FFE65B51000-memory.dmp

Filesize
10.8MB

Download
memory/3648-27-0x00007FFE65090000-0x00007FFE65B51000-memory.dmp

Filesize
10.8MB

Download
memory/3648-23-0x00007FFE65090000-0x00007FFE65B51000-memory.dmp

Filesize
10.8MB

Download
memory/3648-21-0x00000000001E0000-0x00000000001FC000-memory.dmp

Filesize
112KB

Download
memory/4012-38-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download