Overview
overview
10Static
static
3Imperium.exe
windows7-x64
10Imperium.exe
windows10-2004-x64
10advpack.dll
windows10-2004-x64
1aeevts.dll
windows10-2004-x64
1aeinv.dll
windows10-2004-x64
1aeinvext.dll
windows10-2004-x64
1aemarebackup.dll
windows10-2004-x64
1aepic.dll
windows10-2004-x64
1agentactiv...me.dll
windows10-2004-x64
1Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 15:07
Static task
static1
Behavioral task
behavioral1
Sample
Imperium.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Imperium.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
advpack.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
aeevts.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
aeinv.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
aeinvext.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
aemarebackup.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
aepic.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
agentactivationruntime.dll
Resource
win10v2004-20241007-en
General
-
Target
Imperium.exe
-
Size
895KB
-
MD5
2e627886f546dec55fd0243de22f966e
-
SHA1
32bcbfd80baef07a2e05b8ed673a469741b74828
-
SHA256
fe21d4c63aa2ec21a4311955decfcf4d8dd7ec73bc9fa07655e14de6762489e7
-
SHA512
9642e596de2c2f2995180d5c4ec87619b10aaad1ca846eff55ed9c32c513b6994f47d87b3dc52e7a9f5990c4bac019d57dc8bcb3ea6381a43a176169067fdb3d
-
SSDEEP
12288:Wh1Lk70TnvjcQexF/3hr9mvqXO/bW8/1Ci9uJ41I8opwxcHXi2jlXWnbkQ:6k70Trc7F/3aWO98PZUqXieXWnb
Malware Config
Extracted
phemedrone
https://www.plufferr.com/api/send.php
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
.NET Reactor proctector 35 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/5112-1-0x0000000005000000-0x0000000005214000-memory.dmp net_reactor behavioral2/memory/5112-5-0x0000000004DE0000-0x0000000004FF4000-memory.dmp net_reactor behavioral2/memory/5112-10-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-18-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-35-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-39-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-55-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-65-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-63-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-61-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-59-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-57-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-53-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-51-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-49-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-47-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-45-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-43-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-41-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-37-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-33-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-31-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-29-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-27-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-24-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-22-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-20-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-16-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-14-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-12-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-8-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-7-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-71-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-69-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor behavioral2/memory/5112-67-0x0000000004DE0000-0x0000000004FED000-memory.dmp net_reactor -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5112 set thread context of 880 5112 Imperium.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imperium.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 880 MSBuild.exe 880 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5112 Imperium.exe Token: SeDebugPrivilege 880 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5112 wrote to memory of 880 5112 Imperium.exe 83 PID 5112 wrote to memory of 880 5112 Imperium.exe 83 PID 5112 wrote to memory of 880 5112 Imperium.exe 83 PID 5112 wrote to memory of 880 5112 Imperium.exe 83 PID 5112 wrote to memory of 880 5112 Imperium.exe 83 PID 5112 wrote to memory of 880 5112 Imperium.exe 83 PID 5112 wrote to memory of 880 5112 Imperium.exe 83 PID 5112 wrote to memory of 880 5112 Imperium.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\Imperium.exe"C:\Users\Admin\AppData\Local\Temp\Imperium.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-