Overview

overview

10

Static

static

10

Dexytyb.exe

windows7-x64

10

Dexytyb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    21/03/2025, 23:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dexytyb.exe

  • Size

    116KB

  • MD5

    57896f23106968a8b964222d0bee5cc2

  • SHA1

    c63fcc35b9d6862951a0e0f7cdd0cc8e034c4de5

  • SHA256

    edbafdfc5daf3edb477b52fd1aa2376b96a9f08f9a76c1d1a9a686f303742168

  • SHA512

    af191c4b48a54506ad41ccac6f0fc96c4ef9d06ccfb8ddaaa9d5a4f5279d072ecf5a1eff4945f808b9990d63491da9b897bacdb53e0030ffb6470802ef0a35bc

  • SSDEEP

    1536:IYG01nFGLBQ+Z33RXwvE1osCVSYvY6Kfb875lbyl6bXvYiTz75XIKC4xyYtt:RFFFiZKsKKw75N0IYiL5XIAz

Score
10/10
phemedronecredential_accessspywarestealer

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7831430177:AAHyPrNHXslwzad7nSAEROdQK02cKzd8JCE/sendDocument

Signatures

  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone
  • Phemedrone family
    phemedrone
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dexytyb.exe
    "C:\Users\Admin\AppData\Local\Temp\Dexytyb.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2160 -s 1672
      2⤵
        PID:2976
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1696

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1696-4-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/1696-5-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2160-0-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2160-1-0x0000000000DB0000-0x0000000000DD4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2160-2-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2160-3-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

      Filesize

      9.9MB

      Download