phemedrone | 8664e6d9a120c7eedb3cd40f9e1a16a594cc6bf099b38b6d93181b4469fb9175 | Triage

Submit
Reports

Overview

overview

Static

static

3

launcher.exe

windows10-2004-x64

Sharing

General

Target

launcher.exe
Size

291KB
Sample

240916-tq5wnsxcrj
MD5

11501a69ddf54287446e4cffa4d268a3
SHA1

09bab84093ed44ec38bc240459c9e1905762110f
SHA256

8664e6d9a120c7eedb3cd40f9e1a16a594cc6bf099b38b6d93181b4469fb9175
SHA512

bb7990605ef8c5419cfbf05cb16dd03c1c7b0ea95ca179e8abb8aff99df50fc15e4231ba98e82204d704880b6476b92212d0b3a2e9dbffe56e8b480b80554c5d
SSDEEP

6144:K8emLf5K/nSiKWiB3XjdOwkL1xOivj0MW1WQ9mLtf6TUIa1bq/KMw:HeAxKPPiB3zEjLPl0MWkf6J

Score

10^/10

phemedrone xworm execution rat stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

launcher.exe

Resource

win10v2004-20240802-en

phemedrone xworm execution rat stealer trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7093178471:AAF2vSzsv_7VHw_mw-hRkrEjGXZZ0VRp1-c/sendDocument

Targets

- Target
  
  launcher.exe
- Size
  
  291KB
- MD5
  
  11501a69ddf54287446e4cffa4d268a3
- SHA1
  
  09bab84093ed44ec38bc240459c9e1905762110f
- SHA256
  
  8664e6d9a120c7eedb3cd40f9e1a16a594cc6bf099b38b6d93181b4469fb9175
- SHA512
  
  bb7990605ef8c5419cfbf05cb16dd03c1c7b0ea95ca179e8abb8aff99df50fc15e4231ba98e82204d704880b6476b92212d0b3a2e9dbffe56e8b480b80554c5d
- SSDEEP
  
  6144:K8emLf5K/nSiKWiB3XjdOwkL1xOivj0MW1WQ9mLtf6TUIa1bq/KMw:HeAxKPPiB3zEjLPl0MWkf6J
Score

10^/10

phemedrone xworm execution rat stealer trojan
- Detect Xworm Payload
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

phemedronexwormexecutionratstealertrojan

© 2018-2024

Terms | Privacy