General

  • Target

    launcher.exe

  • Size

    291KB

  • Sample

    240916-va45waycqd

  • MD5

    11501a69ddf54287446e4cffa4d268a3

  • SHA1

    09bab84093ed44ec38bc240459c9e1905762110f

  • SHA256

    8664e6d9a120c7eedb3cd40f9e1a16a594cc6bf099b38b6d93181b4469fb9175

  • SHA512

    bb7990605ef8c5419cfbf05cb16dd03c1c7b0ea95ca179e8abb8aff99df50fc15e4231ba98e82204d704880b6476b92212d0b3a2e9dbffe56e8b480b80554c5d

  • SSDEEP

    6144:K8emLf5K/nSiKWiB3XjdOwkL1xOivj0MW1WQ9mLtf6TUIa1bq/KMw:HeAxKPPiB3zEjLPl0MWkf6J

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7093178471:AAF2vSzsv_7VHw_mw-hRkrEjGXZZ0VRp1-c/sendDocument

Targets

    • Target

      launcher.exe

    • Size

      291KB

    • MD5

      11501a69ddf54287446e4cffa4d268a3

    • SHA1

      09bab84093ed44ec38bc240459c9e1905762110f

    • SHA256

      8664e6d9a120c7eedb3cd40f9e1a16a594cc6bf099b38b6d93181b4469fb9175

    • SHA512

      bb7990605ef8c5419cfbf05cb16dd03c1c7b0ea95ca179e8abb8aff99df50fc15e4231ba98e82204d704880b6476b92212d0b3a2e9dbffe56e8b480b80554c5d

    • SSDEEP

      6144:K8emLf5K/nSiKWiB3XjdOwkL1xOivj0MW1WQ9mLtf6TUIa1bq/KMw:HeAxKPPiB3zEjLPl0MWkf6J

    • Detect Xworm Payload

    • Phemedrone

      An information and wallet stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks