phemedrone | 08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37

General

Target

08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe
Size

698KB
MD5

150df9d8d8d7dfa6806fd746f5046278
SHA1

145d6bfa4eeceaf3c91e05a955c3ca77ee62fca2
SHA256

08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37
SHA512

f92b5be8839e01d35dfc6e8efa645e2307082fdc754370200774b0f502f107a70a1f52913ec43fffa4d234c79edb5ac3e4cdecfaea08df2c1a89102dbfcbaaf9
SSDEEP

12288:PyveQB/fTHIGaPkKEYzURNAwbAgjsYrWu+bsOWFoS7RxYCcvlZ62sHVRj5:PuDXTIGaPhEYzUzA0DrWu6hTMbDksHVT

Score

10^/10

phemedrone credential_access spyware stealer

Malware Config

Extracted

Family

phemedrone

C2

http://89.23.102.24:80/gate.php

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exehelper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	helper.exe

Executes dropped EXE 2 IoCs

Processes:

helper.exesihost.exe

pid process

1000 helper.exe
4652 sihost.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

sihost.exe

pid process

4652 sihost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

sihost.exe

description pid process

Token: SeDebugPrivilege 4652 sihost.exe

pid	process
1000	helper.exe
4652	sihost.exe

pid	process
4652	sihost.exe

description	pid	process
Token: SeDebugPrivilege	4652	sihost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.execmd.exehelper.execmd.exe

description	pid	process	target process
PID 3700 wrote to memory of 4128	3700	08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe	cmd.exe
PID 3700 wrote to memory of 4128	3700	08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe	cmd.exe
PID 4128 wrote to memory of 1000	4128	cmd.exe	helper.exe
PID 4128 wrote to memory of 1000	4128	cmd.exe	helper.exe
PID 1000 wrote to memory of 4572	1000	helper.exe	cmd.exe
PID 1000 wrote to memory of 4572	1000	helper.exe	cmd.exe
PID 4572 wrote to memory of 4652	4572	cmd.exe	sihost.exe
PID 4572 wrote to memory of 4652	4572	cmd.exe	sihost.exe

C:\Users\Admin\AppData\Local\Temp\08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe
"C:\Users\Admin\AppData\Local\Temp\08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\UpdateService\2.cmd" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4128

C:\ProgramData\Microsoft\UpdateService\helper.exe
helper.exe -p2024
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\UpdateService\1.cmd" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4572

C:\ProgramData\Microsoft\UpdateService\sihost.exe
sihost.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\UpdateService\1.cmd

Filesize
10B

MD5
659bda4383172c5d2ac21b729af13c81

SHA1
66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3

SHA256
185b38ec66134f027a26a9ce666774adeed1ed2f7eb60d73eb03bbe6c0b8ed6c

SHA512
c32d7f6e68ef095f78e90ebb779cc8ff985def52f1b4b1d5804bcbc1d25710145b390caf1bca8d874558ea70b886984a6b15ff77086aa81cab5fef51b6d64659

Download Submit
C:\ProgramData\Microsoft\UpdateService\2.cmd

Filesize
28B

MD5
e5811189f8e9e048198b7ba8f61df071

SHA1
5cbf208238c19ad1b2fa5d4a213adfeecab2df82

SHA256
358b61d0dac44c298fe9ad1a8932976eaab391ec2199f4b2f33999d9408e2743

SHA512
da7aa57b8fafece936e07963583e7e8a9c2b6b04a352750ba26d4514d4a239fa3d8143c0e32ac20ac1437bc6690c6922dbaf835d3eacadff0528b532fe8745ae

Download Submit
C:\ProgramData\Microsoft\UpdateService\helper.exe

Filesize
511KB

MD5
28c2bcc769b519934e2b5957745c7b0d

SHA1
91a9ae91605d3058887e16aba69ac9368dd1a9f8

SHA256
ef7900aed9eb9b4a1ba526f5e4e787cc19aaf00935b54b57e3e2228cd2fb1b4c

SHA512
2978bec2643b4f60417ead9022a253f6584d973b36bd2829e5d74414545487af6d112ce364ba2b08af07dda6c81e1ae0c6453672b2efe4ce0d06884dc59f78d3

Download Submit
C:\ProgramData\Microsoft\UpdateService\sihost.exe

Filesize
138KB

MD5
05cd26a6be48d566af0c8c6d4b7be291

SHA1
8667cf89b4055dd9cab3c7a24cde6cdf3c5efea5

SHA256
ab04c22ab7dc507d43170a1dbe9e179c95685e2165c7c91a3d7487ced92cb464

SHA512
5d3369aa26f35f2b7a6e7d09d86c6aa88900963914387588bc18456d03d9931adddbcefb3337a20eea65afba16bae83e4cda16b704ed36e7fc3fda547a406c2c

Download Submit
memory/4652-20-0x000001A663C90000-0x000001A663CB8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing