MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhemedroneStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af
SHA3-384 hash: 452e8834f3e7a30c066b5fc92bc08001d01dd7f056a95fc7ec2988c851b5c585665246666328e1e6aa4954069820af66
SHA1 hash: a68a6004e111ba899254aa015d93706037c447ff
MD5 hash: 5d4392b56aa4ebac400bbe86fe5d0767
humanhash: maine-cat-west-don
File name:dotNetFx40_Full_setup.exe
Download: download sample
Signature PhemedroneStealer
Create hunting rule
File size:2'605'056 bytes
First seen:2023-10-04 13:56:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:o3s23i7y2K9TYDnORn+JuXbOoGlQXlSHcBA5TkfZnIZirM5RxivYp:
Threatray 1 similar samples on MalwareBazaar
TLSH T198C5F7203DFB101DB3B3AFA95FD8B8AE996FF773270A64A9106103464712D81DD92739
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter stealerkiller
Tags:32 dropper exe PhemedroneStealer


Avatar
stealerkiller
url : hxxps://cdn1[.]frocdn[.]ch/rjFcwBLmZM9M3y7.exe
c2 : hxxp://rakishev[.]net/wp-load.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
381
Origin country :
GB GB
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2424.28665.30159.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Creating a window
Reading critical registry keys
Using the Windows Management Instrumentation requests
Moving a recently created file
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Launching a service
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Gathering data
Verdict:
Malicious
Labled as:
MSIL.Krypt.Generic
Link:
https://www.hybrid-analysis.com/sample/a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/acfcbbf6-2d5c-46c7-99b2-27e43c36b1e7
Result
Threat name:
Phemedrone Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1319489
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Yara detected Phemedrone Stealer
Yara detected Telegram Recon
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1319489 Sample: dotNetFx40_Full_setup.exe Startdate: 04/10/2023 Architecture: WINDOWS Score: 100 40 rakishev.net 2->40 42 ip-api.com 2->42 48 Multi AV Scanner detection for domain / URL 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 8 other signatures 2->54 10 dotNetFx40_Full_setup.exe 6 2->10         started        signatures3 process4 file5 36 C:\Users\user\AppData\Local\...QB4OREJ.exe, PE32 10->36 dropped 38 C:\ProgramData\Microsoft\...behaviorgraph5K9HNJ7.exe, PE32 10->38 dropped 13 EQB4OREJ.exe 23 3 10->13         started        17 G5K9HNJ7.exe 139 10->17         started        20 conhost.exe 10->20         started        process6 dnsIp7 44 ip-api.com 208.95.112.1, 49683, 80 TUT-ASUS United States 13->44 46 rakishev.net 104.21.88.34, 49687, 80 CLOUDFLARENETUS United States 13->46 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->56 58 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->58 60 Tries to harvest and steal browser information (history, passwords, etc) 13->60 28 C:\6c8944922f7b98d0b6cd82b768\sqmapi.dll, PE32 17->28 dropped 30 C:\...\SetupUtility.exe, PE32 17->30 dropped 32 C:\6c8944922f7b98d0b6cd82b768\SetupUi.dll, PE32 17->32 dropped 34 27 other files (none is malicious) 17->34 dropped 22 Setup.exe 5 7 17->22         started        file8 signatures9 process10 process11 24 WINWORD.EXE 22->24         started        process12 26 splwow64.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-10-04 13:57:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
17 of 24 (70.83%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uyco5ujslmjgoe3q4juhqph2ot4gowsgqsjp7gcbmgd5on3iwsxq._file
Verdict:
malicious
Similar samples:
7f9c8c44079baed3e635a5d894ddad9c0db48022a19e80af11c79699727de3e0
PhemedroneStealer
Result
Malware family:
phemedrone
Create hunting rule
Score:
  10/10
Tags:
family:phemedrone spyware stealer
Link:
https://tria.ge/reports/231004-q89e2aeb47/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Phemedrone
Unpacked files
SH256 hash:
976051a9bbb7e204aa5ec40c5e91b125968f9f50e097b63f6c2099e700b9e237
MD5 hash:
0dd0d2a8e94f4ced18fa77b64d5653a0
SHA1 hash:
eabf84c2ade7f8e5fccf86e51eef2ed961d589cc
Link:
https://www.unpac.me/results/3ec1bba4-d5f7-4371-820f-b419b6e5dfa9/
SH256 hash:
2c669f5390b14c63c91f4898419792aaee9c0b996dc348419e2ee84179cf3531
MD5 hash:
ae881baa8c3a00a94e5994826bdac3aa
SHA1 hash:
3f81a9e1cb712b2f69c8ab9104469a436c797706
Link:
https://www.unpac.me/results/3ec1bba4-d5f7-4371-820f-b419b6e5dfa9/
SH256 hash:
48b005d64d508db2190b71d5467006177a2ff49ab88ba2b0213d66173a662a3d
MD5 hash:
2d0040494f69ac841513f21921b616a2
SHA1 hash:
8973a0517fcee8dab2731eb0a3d8839c5e0c625d
Link:
https://www.unpac.me/results/3ec1bba4-d5f7-4371-820f-b419b6e5dfa9/
SH256 hash:
3530f98b9763e3ecc065dc1355be3dbe80fb3027f0a104aa33e2818b96329080
MD5 hash:
03e426ddeb1280f2dd53ec22985a1d75
SHA1 hash:
6b91405989ee77f377cbb4e995922f5f733d200f
Link:
https://www.unpac.me/results/3ec1bba4-d5f7-4371-820f-b419b6e5dfa9/
SH256 hash:
57357e2899ebcf743fa7baf6cbfb4b72de95c1742537dff4e99725f3f1396e25
MD5 hash:
0494432140252108120c08f33b85d504
SHA1 hash:
4d14bed79b9ce09d759e9ce61742937ebd4f642a
Link:
https://www.unpac.me/results/3ec1bba4-d5f7-4371-820f-b419b6e5dfa9/
SH256 hash:
a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af
MD5 hash:
5d4392b56aa4ebac400bbe86fe5d0767
SHA1 hash:
a68a6004e111ba899254aa015d93706037c447ff
Link:
https://www.unpac.me/results/3ec1bba4-d5f7-4371-820f-b419b6e5dfa9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a604eed1325b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PhemedroneStealer

Executable exe a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af

(this sample)

  
Link
https://tria.ge/231004-q3p47sea59/behavioral1
  
Dropping
PhemedroneStealer
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2716402/

Comments