phemedrone | hxxps://mega[.]nz/file/5b1iVaZT#rbLX2xFGDfc1aQGgEhKBFkGt3wEtagSZBNVq0_7tXb0 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

URLScan

urlscan

https://mega.nz/file...

windows10-ltsc 2021-x64

https://mega.nz/file...

windows11-21h2-x64

Sharing

General

Target

https://mega.nz/file/5b1iVaZT#rbLX2xFGDfc1aQGgEhKBFkGt3wEtagSZBNVq0_7tXb0
Sample

241226-xmszgsvmgz

Score

10^/10

phemedrone credential_access defense_evasion discovery stealer

Static task

static1

URLScan task

urlscan1

Behavioral task

behavioral1

Sample

https://mega.nz/file/5b1iVaZT#rbLX2xFGDfc1aQGgEhKBFkGt3wEtagSZBNVq0_7tXb0

Resource

win10ltsc2021-20241211-en

phemedrone credential_access discovery stealer

windows10-ltsc 2021-x64

27 signatures

300 seconds

Behavioral task

behavioral2

Sample

https://mega.nz/file/5b1iVaZT#rbLX2xFGDfc1aQGgEhKBFkGt3wEtagSZBNVq0_7tXb0

Resource

win11-20241007-en

phemedrone credential_access defense_evasion discovery stealer

windows11-21h2-x64

21 signatures

300 seconds

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7668501460:AAH2A5oRhWUqF_EWSrJaaRppA9RgQdU2iUc/sendDocument

Targets

- Target
  
  https://mega.nz/file/5b1iVaZT#rbLX2xFGDfc1aQGgEhKBFkGt3wEtagSZBNVq0_7tXb0
Score

10^/10

phemedrone credential_access discovery stealer defense_evasion
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- Phemedrone family
  phemedrone
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Uses the VBS compiler for execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

urlscan1

behavioral1

phemedronecredential_accessdiscoverystealer

behavioral2

phemedronecredential_accessdefense_evasiondiscoverystealer

© 2018-2025

Terms | Privacy