Overview

overview

10

Static

static

10

Umovelo 2.exe

windows10-2004-x64

10

Resubmissions

02-02-2025 10:53

250202-myz7tsykbw 10

02-02-2025 10:47

250202-mvq5raxrhw 10

Analysis

  • max time kernel
    63s
  • max time network
    65s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2025 10:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Umovelo 2.exe

  • Size

    115KB

  • MD5

    4b505f9c0da945d7505ed40f2d0eb8ae

  • SHA1

    1e49a3f17ff2b4f5c5705a421ac94fda0cde348f

  • SHA256

    1dec93d447770aa7636ea8d8e553b68f28b31ba3d34b8024deed5de7b3d82a27

  • SHA512

    50e015ef7073318e277bf0f8448513cd624bd64fe5fa17d31b127cf1d0ca75a9e6774c4dfe89b9bdea01d0d8cb6dd94c1279e23f7d371c1cf72813b69b4ac8ec

  • SSDEEP

    1536:aw8VfG5Pq8rGZo3RVFdgMVk0fdUPLxcAgOgoCJ176IQNgm53YZBjdIvZmqUNDWi4:3aGRqKToMRdaCJ1OIG5GBjd+aNDHlo

Score
10/10
phemedronecredential_accessspywarestealer

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7977811634:AAEsOS7wUXOBwdgGyVbVwwqu3kCcteKHzoA/sendDocument

Signatures

  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone
  • Phemedrone family
    phemedrone
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Umovelo 2.exe
    "C:\Users\Admin\AppData\Local\Temp\Umovelo 2.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4496
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4472-15-0x00000248D27F0000-0x00000248D27F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4472-7-0x00000248D27F0000-0x00000248D27F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4472-11-0x00000248D27F0000-0x00000248D27F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4472-12-0x00000248D27F0000-0x00000248D27F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4472-5-0x00000248D27F0000-0x00000248D27F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4472-6-0x00000248D27F0000-0x00000248D27F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4472-13-0x00000248D27F0000-0x00000248D27F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4472-17-0x00000248D27F0000-0x00000248D27F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4472-14-0x00000248D27F0000-0x00000248D27F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4472-16-0x00000248D27F0000-0x00000248D27F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4496-0-0x00007FFD8A763000-0x00007FFD8A765000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4496-1-0x0000000000710000-0x0000000000734000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4496-4-0x00007FFD8A760000-0x00007FFD8B221000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4496-2-0x00007FFD8A760000-0x00007FFD8B221000-memory.dmp

    Filesize

    10.8MB

    Download