phemedrone | 6cb5005a2a43e0ca027de531c844c00935940df89d797b67f47d4399b89d3bf4

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07/02/2025, 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe
Size

1005KB
MD5

d393fb1b159fdc35e135960a8f8b2928
SHA1

74f27229a212ceb1be49b6f1ae9093c9af5fe0c2
SHA256

6cb5005a2a43e0ca027de531c844c00935940df89d797b67f47d4399b89d3bf4
SHA512

bda698fc1d1c8893fe688ea82f83bddcb56a009fd1155cfe25683bd87d71c6f1232059e4d5f6c7f17865c3fd8bd5aa32b306b63aa59c78a82776f69e772d0b98
SSDEEP

6144:d4lrV3oawRMA8RixB9+5FUd0f1Ky5xg+GIIIIIIIhIIIIIIIIIIIIIIIU:qlVoawO5Qj9+5FdfEy/

Score

10^/10

phemedrone xworm rat stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:2727

dnsdeerrorlehaxor.ddns.net:2727

Attributes

Install_directory
%Public%
install_file
Discord.exe
telegram
https://api.telegram.org/bot5964175002:AAFK1mpStrMUWwegniLJuryZjOhVavZhSGo/sendMessage?chat_id=1745421249

Extracted

Family

phemedrone

https://api.telegram.org/bot7602843389:AAE9dcCKuyUGx9HUNQf9KbsZDhME6HwC10g/sendMessage?chat_id=1745421249

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b3b-6.dat	family_xworm
behavioral2/memory/1804-21-0x0000000000AB0000-0x0000000000B0C000-memory.dmp	family_xworm

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe

Executes dropped EXE 2 IoCs

pid	Process
1804	Discord.exe
868	Steam.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	Discord.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 1804	4272	SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe	84
PID 4272 wrote to memory of 1804	4272	SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe	84
PID 4272 wrote to memory of 868	4272	SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe	85
PID 4272 wrote to memory of 868	4272	SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe	85

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Users\Public\Discord.exe
  "C:\Users\Public\Discord.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Users\Public\Steam.exe
  "C:\Users\Public\Steam.exe"
  2⤵
  - Executes dropped EXE
  PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Discord.exe

Filesize
340KB

MD5
93a84f8e3c8e40aa764215d360a89064

SHA1
5bf84da9f34ec2fd38bc175a8a890244409edca1

SHA256
18ebb82690ab22e2b00016bbd44df0ab1bd522d7231abe23e11cb56d33bbbe3f

SHA512
da313755609442286062a9be8754399c606c0071812ad7dfb9289d37e9b24ee8cc8688e6563f192dff9552355f917f25ee2ffe735a5e1fc876cfe4ce778cce34

Download Submit
C:\Users\Public\Steam.exe

Filesize
385KB

MD5
d5e9ca906c2366c7878fe7ff36587f6a

SHA1
be89988a517effb21f2e3a0c680f890708d95410

SHA256
25c49795584b8bd3dc5dc2be6e26cecf9dd0cef2323aa71089c1de01ac81dacc

SHA512
ec864f1fa9b7efac08baf3c1feb6626fa4832f76336921ec133aed1d4cfbe9fe8a05a70c0997e831383894d51d05bd4a8335d03353310808fd301bf112cf00ae

Download Submit
memory/868-25-0x0000020664850000-0x00000206648B6000-memory.dmp

Filesize
408KB

Download
memory/868-28-0x00007FFB40340000-0x00007FFB40E01000-memory.dmp

Filesize
10.8MB

Download
memory/868-29-0x00007FFB40340000-0x00007FFB40E01000-memory.dmp

Filesize
10.8MB

Download
memory/1804-21-0x0000000000AB0000-0x0000000000B0C000-memory.dmp

Filesize
368KB

Download
memory/1804-27-0x00007FFB40340000-0x00007FFB40E01000-memory.dmp

Filesize
10.8MB

Download
memory/1804-30-0x00007FFB40340000-0x00007FFB40E01000-memory.dmp

Filesize
10.8MB

Download
memory/1804-31-0x00007FFB40340000-0x00007FFB40E01000-memory.dmp

Filesize
10.8MB

Download
memory/4272-0-0x00007FFB40343000-0x00007FFB40345000-memory.dmp

Filesize
8KB

Download
memory/4272-1-0x0000000000BF0000-0x0000000000CF2000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads