MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7f5161e69a1f7de4f87d1eaa680f045e84869d888c9c68c1ffc4ec6d1a95207. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhemedroneStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7f5161e69a1f7de4f87d1eaa680f045e84869d888c9c68c1ffc4ec6d1a95207
SHA3-384 hash: 6b1105d0f55c4e4592b6da95f8437c2bf60f1a21ccc132ca25f020f9f92067eaa45dec982bdbd2f22b47ec0890e8d1e0
SHA1 hash: eedcc55e4d6132e933b83e78ec0f6b27920706f7
MD5 hash: a5d2cfff273ff2896651620edbfbf2ff
humanhash: tennessee-hydrogen-bravo-fish
File name:SecuriteInfo.com.Trojan.Siggen31.9411.1178.4099
Download: download sample
Signature PhemedroneStealer
Create hunting rule
File size:8'180'224 bytes
First seen:2025-04-20 08:37:44 UTC
Last seen:2025-04-20 09:24:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 98304:fyfoRvySuOauKO0dc9MxBhceGJ8U3IpaGmTU:aAh+cu3hceq8U3OaGs
TLSH T13B864A01B7E89B26D1BF4735A4761018D7F6FD6A5322DA4D714CB2BB2F32B004A66327
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe PhemedroneStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
359
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.Siggen31.9411.1178.4099
Verdict:
Malicious activity
Analysis date:
2025-04-20 09:07:05 UTC
Tags:
github evasion stealer zerotrace dcrat rat auto-reg auto-startup remote xworm xor-url generic umbralstealer darkcrystal discord exfiltration miner winring0x64-sys vuln-driver
Link:
https://app.any.run/tasks/03198d1f-b897-430d-8e25-0e6c705ab77f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
StormKitty
Create hunting rule
Link:
https://www.capesandbox.com/analysis/3075/
Detection(s):
SecuriteInfo.com.Trojan.Siggen31.9411.1178.4099.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6804b28b280f5f89a0d251d3
Tags:
infosteal vmdetect asyncrat kraken
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Sending an HTTP GET request
Searching for synchronization primitives
Creating a file
Running batch commands
Reading critical registry keys
Launching a process
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Launching the process to change network settings
Loading a suspicious library
Deleting a system file
Unauthorized injection to a recently created process
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm evasive findstr fingerprint hacktool lolbin netsh reconnaissance stealer
Link:
https://www.filescan.io/uploads/6804b27890767142c3dc44a1/reports/f35b9a20-4e6a-438f-a07b-57be580e99b7/overview
Verdict:
Malicious
Labled as:
Dump:Generic.Ransom.KrakenB
Link:
https://www.hybrid-analysis.com/sample/c7f5161e69a1f7de4f87d1eaa680f045e84869d888c9c68c1ffc4ec6d1a95207
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c49ef7a1-2379-494c-9343-48f829c6d03a
Result
Threat name:
AveMaria, Blank Grabber, DCRat, Destiny
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1669603
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Sigma detected: Disable power options
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses powercfg.exe to modify the power settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AveMaria stealer
Yara detected Blank Grabber
Yara detected DCRat
Yara detected Destiny Stealer
Yara detected Keylogger Generic
Yara detected PureLog Stealer
Yara detected StormKitty Stealer
Yara detected Umbral Stealer
Yara detected XWorm
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1669603 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 20/04/2025 Architecture: WINDOWS Score: 100 185 raw.githubusercontent.com 2->185 187 ip-api.com 2->187 189 5 other IPs or domains 2->189 213 Suricata IDS alerts for network traffic 2->213 215 Malicious sample detected (through community Yara rule) 2->215 217 Antivirus detection for dropped file 2->217 219 23 other signatures 2->219 14 SecuriteInfo.com.Trojan.Siggen31.9411.1178.4099.exe 15 52 2->14         started        19 svchost.exe 2->19         started        21 svchost.exe 2->21         started        23 svchost.exe 2->23         started        signatures3 process4 dnsIp5 199 github.com 140.82.113.4, 443, 49699, 49702 GITHUBUS United States 14->199 201 raw.githubusercontent.com 185.199.109.133, 443, 49700, 49703 FASTLYUS Netherlands 14->201 203 4 other IPs or domains 14->203 181 C:\Users\user\AppData\Local\...\svchost.exe, PE32 14->181 dropped 183 SecuriteInfo.com.T...1.1178.4099.exe.log, ASCII 14->183 dropped 205 Attempt to bypass Chrome Application-Bound Encryption 14->205 207 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->207 209 Found many strings related to Crypto-Wallets (likely being stolen) 14->209 211 5 other signatures 14->211 25 svchost.exe 3 9 14->25         started        29 cmd.exe 14->29         started        31 cmd.exe 14->31         started        33 msedge.exe 5 14->33         started        file6 signatures7 process8 file9 173 C:\RuntimeBroker\4.exe, PE32 25->173 dropped 175 C:\RuntimeBroker\3.exe, PE32 25->175 dropped 177 C:\RuntimeBroker\2.exe, PE32+ 25->177 dropped 179 2 other malicious files 25->179 dropped 261 Multi AV Scanner detection for dropped file 25->261 263 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->263 35 4.exe 25->35         started        38 3.exe 25->38         started        41 1.exe 15 6 25->41         started        50 2 other processes 25->50 265 Tries to harvest and steal WLAN passwords 29->265 44 conhost.exe 29->44         started        46 chcp.com 29->46         started        52 2 other processes 29->52 54 3 other processes 31->54 48 msedge.exe 33->48         started        signatures10 process11 dnsIp12 221 Multi AV Scanner detection for dropped file 35->221 223 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->223 225 Tries to harvest and steal browser information (history, passwords, etc) 35->225 56 svchost.exe 35->56         started        59 msedge.exe 35->59         started        129 C:\Windows\debug\fontdrvhost.exe, PE32 38->129 dropped 131 C:\Users\user\Desktop\ucMeGsqn.log, PE32 38->131 dropped 133 C:\Users\user\Desktop\sFPojAor.log, PE32 38->133 dropped 139 9 other malicious files 38->139 dropped 227 Antivirus detection for dropped file 38->227 229 Drops PE files with benign system names 38->229 61 cmd.exe 38->61         started        195 ip-api.com 208.95.112.1, 49707, 49717, 49720 TUT-ASUS United States 41->195 197 89.39.121.169, 50034, 9000 NG-ASSosBucuresti-Ploiestinr42-44RO Romania 41->197 135 C:\Users\user\AppData\Roaming\XClient.exe, PE32 41->135 dropped 231 Protects its processes via BreakOnTermination flag 41->231 233 Bypasses PowerShell execution policy 41->233 235 Adds a directory exclusion to Windows Defender 41->235 237 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 41->237 64 powershell.exe 41->64         started        137 C:\ProgramData\...\tfbrzzhhrzhb.exe, PE32+ 50->137 dropped 239 Uses powercfg.exe to modify the power settings 50->239 241 Windows Scripting host queries suspicious COM object (likely to drop second stage) 50->241 243 Modifies power options to not sleep / hibernate 50->243 66 cmd.exe 50->66         started        68 powershell.exe 50->68         started        70 cmd.exe 50->70         started        72 6 other processes 50->72 file13 signatures14 process15 file16 157 C:\driverPerf\XClient.exe, PE32 56->157 dropped 159 C:\driverPerf\Umbral.exe, PE32 56->159 dropped 161 C:\driverPerf\SavesRuntimecommon.exe, PE32 56->161 dropped 163 C:\driverPerf\123.exe, PE32+ 56->163 dropped 74 wscript.exe 56->74         started        84 3 other processes 56->84 76 msedge.exe 59->76         started        267 Uses ping.exe to sleep 61->267 269 Uses ping.exe to check the status of other devices and networks 61->269 87 4 other processes 61->87 78 conhost.exe 64->78         started        271 Uses netsh to modify the Windows network and firewall settings 66->271 273 Tries to harvest and steal WLAN passwords 66->273 80 conhost.exe 66->80         started        275 Loading BitLocker PowerShell Module 68->275 82 conhost.exe 68->82         started        91 2 other processes 70->91 93 6 other processes 72->93 signatures17 process18 dnsIp19 95 cmd.exe 74->95         started        247 Multi AV Scanner detection for dropped file 84->247 249 Adds a directory exclusion to Windows Defender 84->249 97 WMIC.exe 84->97         started        99 powershell.exe 84->99         started        101 powershell.exe 84->101         started        193 723499cm.shnyash.ru 172.67.178.244, 49723, 49724, 49725 CLOUDFLARENETUS United States 87->193 165 C:\Users\user\Desktop\qGPqfWuA.log, PE32 87->165 dropped 167 C:\Users\user\Desktop\fSkzvKzS.log, PE32 87->167 dropped 169 C:\Users\user\Desktop\Waujbvbo.log, PE32 87->169 dropped 171 3 other malicious files 87->171 dropped 251 Tries to harvest and steal browser information (history, passwords, etc) 87->251 file20 signatures21 process22 process23 103 SavesRuntimecommon.exe 95->103         started        107 conhost.exe 95->107         started        109 conhost.exe 97->109         started        111 conhost.exe 99->111         started        113 conhost.exe 101->113         started        file24 141 C:\driverPerf\wLA8tltDyk7g.exe, PE32 103->141 dropped 143 C:\driverPerf\uCxa4hvb2.exe, PE32 103->143 dropped 145 C:\Windows\...\CVfzjnGeOVCYl3Yd8v.exe, PE32 103->145 dropped 147 9 other malicious files 103->147 dropped 253 Multi AV Scanner detection for dropped file 103->253 115 cmd.exe 103->115         started        signatures25 process26 signatures27 245 Drops executables to the windows directory (C:\Windows) and starts them 115->245 118 CVfzjnGeOVCYl3Yd8v.exe 115->118         started        123 conhost.exe 115->123         started        125 chcp.com 115->125         started        127 w32tm.exe 115->127         started        process28 dnsIp29 191 104.21.17.252, 49920, 49940, 80 CLOUDFLARENETUS United States 118->191 149 C:\Users\user\Desktop\vSawheea.log, PE32 118->149 dropped 151 C:\Users\user\Desktop\umGGazJh.log, PE32 118->151 dropped 153 C:\Users\user\Desktop\sawYVelp.log, PE32 118->153 dropped 155 3 other malicious files 118->155 dropped 255 Multi AV Scanner detection for dropped file 118->255 257 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 118->257 259 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 118->259 file30 signatures31
Score:
82%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c7f5161e69a1f7de4f87d1eaa680f045e84869d888c9c68c1ffc4ec6d1a95207
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7f5161e69a1f7de4f87d1eaa680f045e84869d888c9c68c1ffc4ec6d1a95207/
Threat name:
ByteCode-MSIL.Infostealer.Browsstl
Create hunting rule
Status:
Malicious
First seen:
2025-04-16 00:14:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y72rmhtjuh354t4h2hvknahqixueq2oyrde4nda77rhmnunjkidq._file
Verdict:
malicious
Label(s):
stormkitty
Create hunting rule
Similar samples:
error
PhemedroneStealer
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:stormkitty family:umbral family:xmrig family:xworm collection credential_access defense_evasion discovery execution infostealer miner persistence privilege_escalation rat spyware stealer trojan upx
Link:
https://tria.ge/reports/250420-kjtqdssns7/
Behaviour
Checks processor information in registry
Detects videocard installed
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Power Settings
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
Stops running service(s)
Uses browser remote debugging
XMRig Miner payload
DcRat
Dcrat family
Detect Umbral payload
Detect Xworm Payload
StormKitty
StormKitty payload
Stormkitty family
Umbral
Umbral family
Xmrig family
Xworm
Xworm family
xmrig
Malware Config
C2 Extraction:
89.39.121.169:9000
https://discord.com/api/webhooks/1333154187097411584/digMymw3Ra3L6I5D8zGVEzUUedj3jMIaMra4MYEhFwT7XO6iinul-zQfNDxgOfoV2lrG
Verdict:
Malicious
Tags:
stealer phemedrone_stealer stormkitty phemedronestealer trojan
YARA:
MALWARE_Win_Cyberstealer MALWARE_Win_Phemedronestealer MALWARE_Win_StormKitty MALWARE_Win_PhemedroneStealer Windows_Generic_Threat_2bb6f41d
Link:
https://app.threat.zone/submission/c25e00c2-2f87-4418-b933-816002c3cced
Unpacked files
SH256 hash:
c7f5161e69a1f7de4f87d1eaa680f045e84869d888c9c68c1ffc4ec6d1a95207
MD5 hash:
a5d2cfff273ff2896651620edbfbf2ff
SHA1 hash:
eedcc55e4d6132e933b83e78ec0f6b27920706f7
Detections:
StormKitty
Create hunting rule
Link:
https://www.unpac.me/results/2e223731-f3c6-4917-8942-c63b9130d354/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c7f5161e69a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7f5161e69a1f7de4f87d1eaa680f045e84869d888c9c68c1ffc4ec6d1a95207

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:detect_Redline_Stealer_V2
Create hunting rule
Author:Varp0s
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of MFA browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing credit card regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Discord tokens regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many VPN software clients. Observed in infosteslers
Rule name:INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
Author:ditekSHen
Description:Detects executables with interest in wireless interface using netsh
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MALWARE_Win_CyberStealer
Create hunting rule
Author:ditekSHen
Description:Detects CyberStealer infostealer
Rule name:MALWARE_Win_PhemedroneStealer
Create hunting rule
Author:ditekSHen
Description:Detects Phemedrone Stealer infostealer
Rule name:MALWARE_Win_StormKitty
Create hunting rule
Author:ditekSHen
Description:Detects StormKitty infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Generic_Threat_2bb6f41d
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PhemedroneStealer

Executable exe c7f5161e69a1f7de4f87d1eaa680f045e84869d888c9c68c1ffc4ec6d1a95207

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/3075/
  
URLhaus
https://urlhaus.abuse.ch/url/3519022/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments