General

  • Target

    launcher.exe

  • Size

    291KB

  • Sample

    240916-va45waycqd

  • MD5

    11501a69ddf54287446e4cffa4d268a3

  • SHA1

    09bab84093ed44ec38bc240459c9e1905762110f

  • SHA256

    8664e6d9a120c7eedb3cd40f9e1a16a594cc6bf099b38b6d93181b4469fb9175

  • SHA512

    bb7990605ef8c5419cfbf05cb16dd03c1c7b0ea95ca179e8abb8aff99df50fc15e4231ba98e82204d704880b6476b92212d0b3a2e9dbffe56e8b480b80554c5d

  • SSDEEP

    6144:K8emLf5K/nSiKWiB3XjdOwkL1xOivj0MW1WQ9mLtf6TUIa1bq/KMw:HeAxKPPiB3zEjLPl0MWkf6J

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7093178471:AAF2vSzsv_7VHw_mw-hRkrEjGXZZ0VRp1-c/sendDocument

Targets

    • Target

      launcher.exe

    • Size

      291KB

    • MD5

      11501a69ddf54287446e4cffa4d268a3

    • SHA1

      09bab84093ed44ec38bc240459c9e1905762110f

    • SHA256

      8664e6d9a120c7eedb3cd40f9e1a16a594cc6bf099b38b6d93181b4469fb9175

    • SHA512

      bb7990605ef8c5419cfbf05cb16dd03c1c7b0ea95ca179e8abb8aff99df50fc15e4231ba98e82204d704880b6476b92212d0b3a2e9dbffe56e8b480b80554c5d

    • SSDEEP

      6144:K8emLf5K/nSiKWiB3XjdOwkL1xOivj0MW1WQ9mLtf6TUIa1bq/KMw:HeAxKPPiB3zEjLPl0MWkf6J

    • Detect Xworm Payload

    • Phemedrone

      An information and wallet stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.