Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 06:31
Behavioral task
behavioral1
Sample
Itaxyhi.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Itaxyhi.exe
Resource
win10v2004-20241007-en
General
-
Target
Itaxyhi.exe
-
Size
116KB
-
MD5
78c586522f986994aa77c466c9d678a8
-
SHA1
4b9b13c3782ae532a140a33ba673dc65a37aa882
-
SHA256
498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9
-
SHA512
707ff5fcbb5e473583bec2d54aac25a3febe262c06025c9d88ddd5d30449b1454289eaa63bec848ca69147232474731052bef710e60c042d0c80e9c02486b5bb
-
SSDEEP
1536:7DG01nFGLBQ+ZH3RSR9CJd6FLVTS6OSjl5eEJXopJ7xfYUCFkhTy3QFTiKCq:nFFFiMWJd6F5TnO65r+T1JQoTy3qTiY
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7105333862:AAE6XaSuAERR5F_VgpAajrgcx8b0mCmMnqM/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2448 Itaxyhi.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2448 wrote to memory of 2664 2448 Itaxyhi.exe 32 PID 2448 wrote to memory of 2664 2448 Itaxyhi.exe 32 PID 2448 wrote to memory of 2664 2448 Itaxyhi.exe 32