phemedrone | 8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9

Analysis

max time kernel
134s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe
Size

5.3MB
MD5

6b69cf13f7d2893d69dfaa7ee310b219
SHA1

ea654e62b0a82ed8f4983bceedf1afeedf1a79e8
SHA256

8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9
SHA512

3bc88ce6e5293ff8c9dec3639dc3fc918bee6780e89c0d0e739e750cb9aaf686fe04b2ace630fa3d0445aced6e80e0508be69b997cee9496ee17f4dce035bc05
SSDEEP

98304:R38h3epzb71QGQCPDbZfx8ayCb7BJ5mjwNwwMeZYobSr+v+Z7OGGdJ:R36sdQmRJ8aycBIGpEogKGGd

Score

10^/10

phemedrone credential_access execution spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/JouxJo2/Fps-Boost/raw/main/Boost.exe

Extracted

Family

phemedrone

https://api.telegram.org/bot6402323442:AAFWbeqB_G8dGNlKcdmB4xeKrL6UBjOz4fg/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

25 2444 powershell.exe
27 2444 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

Boost.exe

pid process

4936 Boost.exe

flow	pid	process
25	2444	powershell.exe
27	2444	powershell.exe

pid	process
4936	Boost.exe

Loads dropped DLL 6 IoCs

Processes:

8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe

pid	process
1816	8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe
1816	8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe
1816	8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe
1816	8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe
1816	8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe
1816	8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

26 raw.githubusercontent.com
27 raw.githubusercontent.com
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2444 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2444 powershell.exe
2444 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeBoost.exe

description pid process

Token: SeDebugPrivilege 2444 powershell.exe
Token: SeDebugPrivilege 4936 Boost.exe

flow	ioc
26	raw.githubusercontent.com
27	raw.githubusercontent.com

pid	process
2444	powershell.exe

pid	process
2444	powershell.exe
2444	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	4936	Boost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exepowershell.exe

description	pid	process	target process
PID 4636 wrote to memory of 1816	4636	8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe	8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe
PID 4636 wrote to memory of 1816	4636	8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe	8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe
PID 1816 wrote to memory of 2444	1816	8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe	powershell.exe
PID 1816 wrote to memory of 2444	1816	8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe	powershell.exe
PID 2444 wrote to memory of 4936	2444	powershell.exe	Boost.exe
PID 2444 wrote to memory of 4936	2444	powershell.exe	Boost.exe
PID 1816 wrote to memory of 868	1816	8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe	cmd.exe
PID 1816 wrote to memory of 868	1816	8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe
"C:\Users\Admin\AppData\Local\Temp\8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\AppData\Local\Temp\8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe
"C:\Users\Admin\AppData\Local\Temp\8586e26ad8c071ae7aed383edf5bef7e1d48f6e019c05b90eaa0a24e592fafd9.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\tmp3ow6ykod.ps1
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Users\Admin\AppData\Local\Temp\Boost.exe
"C:\Users\Admin\AppData\Local\Temp\Boost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Boost.exe
Filesize
122KB

MD5
28bef54bbff157aa133c641580007a84

SHA1
d911f3e774104f0143ebda3af72d38669860bb57

SHA256
116b4f3a72b2b5252e11a6fe3a431f3fde7db1c1c354d5546531763db55cf574

SHA512
32d871a0fb5953de118fb3d05359246b69abb438c8cae493b2442799424afad62bc2cb40a80c659302703a702718792bf327c1ddb1e227e0df42199e086e24a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46362\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46362\_bz2.pyd
Filesize
81KB

MD5
bbe89cf70b64f38c67b7bf23c0ea8a48

SHA1
44577016e9c7b463a79b966b67c3ecc868957470

SHA256
775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723

SHA512
3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46362\_ctypes.pyd
Filesize
119KB

MD5
ca4cef051737b0e4e56b7d597238df94

SHA1
583df3f7ecade0252fdff608eb969439956f5c4a

SHA256
e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b

SHA512
17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46362\_lzma.pyd
Filesize
153KB

MD5
0a94c9f3d7728cf96326db3ab3646d40

SHA1
8081df1dca4a8520604e134672c4be79eb202d14

SHA256
0a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31

SHA512
6f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46362\base_library.zip
Filesize
812KB

MD5
fbd6be906ac7cd45f1d98f5cb05f8275

SHA1
5d563877a549f493da805b4d049641604a6a0408

SHA256
ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0

SHA512
1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46362\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46362\python310.dll
Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zicy01ir.qub.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3ow6ykod.ps1
Filesize
225B

MD5
e3599b7e4cee100e5d2e8e5c9434f092

SHA1
8acb3a58de6f8c68c40e954c19bccadcb3a611ab

SHA256
0477c2009f22f8366f975bcbf839c881bef8279032655fa9b66421f403360605

SHA512
1de9c56669a4e27b627eab64ba75aa59d044ab7eb511511b100bc8d4f82b4b46967345578d838ead8ccbe8066e909100afc85b07d98920b5c2797cf7336ca12e

Download Submit
memory/2444-40-0x00007FFCD0DA0000-0x00007FFCD1861000-memory.dmp

Filesize
10.8MB

Download
memory/2444-41-0x00007FFCD0DA0000-0x00007FFCD1861000-memory.dmp

Filesize
10.8MB

Download
memory/2444-30-0x000002274AB20000-0x000002274AB42000-memory.dmp

Filesize
136KB

Download
memory/2444-29-0x00007FFCD0DA3000-0x00007FFCD0DA5000-memory.dmp

Filesize
8KB

Download
memory/2444-58-0x00007FFCD0DA0000-0x00007FFCD1861000-memory.dmp

Filesize
10.8MB

Download
memory/4936-57-0x00007FFCD0DA0000-0x00007FFCD1861000-memory.dmp

Filesize
10.8MB

Download
memory/4936-56-0x0000000000500000-0x0000000000524000-memory.dmp

Filesize
144KB

Download
memory/4936-59-0x00007FFCD0DA0000-0x00007FFCD1861000-memory.dmp

Filesize
10.8MB

Download