Overview

overview

10

Static

static

3

steam.exe

windows7-x64

10

steam.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    13s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07-02-2025 19:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    steam.exe

  • Size

    1005KB

  • MD5

    d393fb1b159fdc35e135960a8f8b2928

  • SHA1

    74f27229a212ceb1be49b6f1ae9093c9af5fe0c2

  • SHA256

    6cb5005a2a43e0ca027de531c844c00935940df89d797b67f47d4399b89d3bf4

  • SHA512

    bda698fc1d1c8893fe688ea82f83bddcb56a009fd1155cfe25683bd87d71c6f1232059e4d5f6c7f17865c3fd8bd5aa32b306b63aa59c78a82776f69e772d0b98

  • SSDEEP

    6144:d4lrV3oawRMA8RixB9+5FUd0f1Ky5xg+GIIIIIIIhIIIIIIIIIIIIIIIU:qlVoawO5Qj9+5FdfEy/

Score
10/10
phemedronexwormratstealertrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:2727

dnsdeerrorlehaxor.ddns.net:2727
Attributes
  • Install_directory

    %Public%

  • install_file

    Discord.exe

  • telegram

    https://api.telegram.org/bot5964175002:AAFK1mpStrMUWwegniLJuryZjOhVavZhSGo/sendMessage?chat_id=1745421249

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7602843389:AAE9dcCKuyUGx9HUNQf9KbsZDhME6HwC10g/sendMessage?chat_id=1745421249

Signatures

  • Detect Xworm Payload 2 IoCs
  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone
  • Phemedrone family
    phemedrone
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\steam.exe
    "C:\Users\Admin\AppData\Local\Temp\steam.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Users\Public\Discord.exe
      "C:\Users\Public\Discord.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3020
    • C:\Users\Public\Steam.exe
      "C:\Users\Public\Steam.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2844 -s 640
        3⤵
          PID:1268

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\Discord.exe
      Filesize

      340KB

      MD5

      93a84f8e3c8e40aa764215d360a89064

      SHA1

      5bf84da9f34ec2fd38bc175a8a890244409edca1

      SHA256

      18ebb82690ab22e2b00016bbd44df0ab1bd522d7231abe23e11cb56d33bbbe3f

      SHA512

      da313755609442286062a9be8754399c606c0071812ad7dfb9289d37e9b24ee8cc8688e6563f192dff9552355f917f25ee2ffe735a5e1fc876cfe4ce778cce34

      Download Submit

    • C:\Users\Public\Steam.exe
      Filesize

      385KB

      MD5

      d5e9ca906c2366c7878fe7ff36587f6a

      SHA1

      be89988a517effb21f2e3a0c680f890708d95410

      SHA256

      25c49795584b8bd3dc5dc2be6e26cecf9dd0cef2323aa71089c1de01ac81dacc

      SHA512

      ec864f1fa9b7efac08baf3c1feb6626fa4832f76336921ec133aed1d4cfbe9fe8a05a70c0997e831383894d51d05bd4a8335d03353310808fd301bf112cf00ae

      Download Submit

    • memory/2844-13-0x0000000000FC0000-0x0000000001026000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2876-0-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2876-1-0x0000000001290000-0x0000000001392000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3020-12-0x0000000000F50000-0x0000000000FAC000-memory.dmp

      Filesize

      368KB

      Download

    • memory/3020-14-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3020-15-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

      Filesize

      9.9MB

      Download