General

  • Target

    launcher.exe

  • Size

    284KB

  • Sample

    240916-vge5bsygpj

  • MD5

    ec46ff697f5c18c43434dce6236aeaf6

  • SHA1

    c77d4a14822e6c5f7bcffdc0a5e6a1345c948e84

  • SHA256

    bbbab2c33667db752e39cb3b1f8f25268e765f975a2891fb252c71c16f11f62b

  • SHA512

    d065758bf6397d348678c0aae5df77d68188fe55a26557770aa055fa330243050189862651bdbb5dde60d13cdf323f2fc5815d4090294fb9c22b714cd96d07d9

  • SSDEEP

    6144:F8emLf5K/nSiKWiB3XjdOwkL1xO51jwoT98Laf6TUIa1bq/KMw:qeAxKPPiB3zEjLPCUkf6J

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7093178471:AAF2vSzsv_7VHw_mw-hRkrEjGXZZ0VRp1-c/sendDocument

Targets

    • Target

      launcher.exe

    • Size

      284KB

    • MD5

      ec46ff697f5c18c43434dce6236aeaf6

    • SHA1

      c77d4a14822e6c5f7bcffdc0a5e6a1345c948e84

    • SHA256

      bbbab2c33667db752e39cb3b1f8f25268e765f975a2891fb252c71c16f11f62b

    • SHA512

      d065758bf6397d348678c0aae5df77d68188fe55a26557770aa055fa330243050189862651bdbb5dde60d13cdf323f2fc5815d4090294fb9c22b714cd96d07d9

    • SSDEEP

      6144:F8emLf5K/nSiKWiB3XjdOwkL1xO51jwoT98Laf6TUIa1bq/KMw:qeAxKPPiB3zEjLPCUkf6J

    • Detect Xworm Payload

    • Phemedrone

      An information and wallet stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks