phemedrone | d49b318ebd36d2d80d20a2339f7ad1a8700b4bfcb8e35e56ef2fbe5d470c79a3

Analysis

max time kernel
36s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Synapse Z.rar
Size

54KB
MD5

2c294b9ab51047dadc1326b5e644cd37
SHA1

b3a6fc9d04d7c84e9dc2159b47cd3dcec0228a1f
SHA256

d49b318ebd36d2d80d20a2339f7ad1a8700b4bfcb8e35e56ef2fbe5d470c79a3
SHA512

0b029f0164d26a8d5301b73a8424e516c13840821c6179ab764b86f9642bdfcd2f998dec31b14d44f2b347da4b26f44055c2424ade654d193cca3e6a91391639
SSDEEP

768:P7Dr4PosmPRTRR0Ll/4+D43SKNfe8S3SYyjEouVr4Kg0Qh9yScnPe6EZX7L:PXzQLR4CKlSXvVr4K4hJcnPuZX

Score

10^/10

phemedrone credential_access spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7213845603:AAFFyxsyId9av6CCDVB1BCAM5hKLby41Dr8/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone

Executes dropped EXE 1 IoCs

pid	Process
1096	Synapse Z.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4316	7zFM.exe
4316	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4316	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4316	7zFM.exe
Token: 35	4316	7zFM.exe
Token: SeSecurityPrivilege	4316	7zFM.exe
Token: SeDebugPrivilege	1096	Synapse Z.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4316	7zFM.exe
4316	7zFM.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 1096	4316	7zFM.exe	100
PID 4316 wrote to memory of 1096	4316	7zFM.exe	100

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Synapse Z.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Users\Admin\AppData\Local\Temp\7zOCD03FFD7\Synapse Z.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCD03FFD7\Synapse Z.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOCD03FFD7\Synapse Z.exe

Filesize
121KB

MD5
6269d12d33e882b6dccf756fa5b1172e

SHA1
4d7be4367c592ad6af5d2e69cb2dbd75f41e9cf9

SHA256
1dc0ff14ed4f413da460555fae083249e26e9b83f3e84c68d71ce0cd96542e05

SHA512
85725fb9ec6fedc05376ab29945d23f4a16f9db477e4df0d65399d44789c365a7bfcff810d4d0ec0db907383938612d45f970723d43aa0622955ddd2e6a27c27

Download Submit
memory/1096-13-0x0000000000420000-0x0000000000444000-memory.dmp

Filesize
144KB

Download
memory/1096-12-0x00007FF8A74D3000-0x00007FF8A74D5000-memory.dmp

Filesize
8KB

Download
memory/1096-14-0x00007FF8A74D0000-0x00007FF8A7F91000-memory.dmp

Filesize
10.8MB

Download
memory/1096-16-0x000000001BBF0000-0x000000001BCF2000-memory.dmp

Filesize
1.0MB

Download
memory/1096-17-0x00007FF8A74D0000-0x00007FF8A7F91000-memory.dmp

Filesize
10.8MB

Download