Analysis
-
max time kernel
32s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-05-2021 05:40
Static task
static1
Behavioral task
behavioral1
Sample
CS SkinCHANGER.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
CS SkinCHANGER.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
Free Discord Nitro.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
Free Discord Nitro.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
CS SkinCHANGER.exe
-
Size
1016KB
-
MD5
4baf19886d71c6d9312b3a71dcfea37e
-
SHA1
ebacfba77117ec07d108f1b80e419be9674a48da
-
SHA256
1d2005df287958967e785ebc022f183ed7b3878b631d75d61ed8d94bcda0ee58
-
SHA512
0bb4d418ca83f1f85edcfbea1cf3704d42ebb9e3092c70f0a982238210adc9b51cfa47f19df67f7f2714444f04ac4bbf27887724f1dbcd6d1ba84c872074067c
Score
10/10
Malware Config
Signatures
-
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/2204-120-0x0000000004F10000-0x0000000004F1A000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2204 set thread context of 2844 2204 CS SkinCHANGER.exe 79 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2204 CS SkinCHANGER.exe Token: SeDebugPrivilege 3932 taskmgr.exe Token: SeSystemProfilePrivilege 3932 taskmgr.exe Token: SeCreateGlobalPrivilege 3932 taskmgr.exe Token: 33 3932 taskmgr.exe Token: SeIncBasePriorityPrivilege 3932 taskmgr.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe -
Suspicious use of SendNotifyMessage 39 IoCs
pid Process 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2844 2204 CS SkinCHANGER.exe 79 PID 2204 wrote to memory of 2844 2204 CS SkinCHANGER.exe 79 PID 2204 wrote to memory of 2844 2204 CS SkinCHANGER.exe 79 PID 2204 wrote to memory of 2844 2204 CS SkinCHANGER.exe 79 PID 2204 wrote to memory of 2844 2204 CS SkinCHANGER.exe 79 PID 2204 wrote to memory of 2844 2204 CS SkinCHANGER.exe 79 PID 2204 wrote to memory of 2844 2204 CS SkinCHANGER.exe 79 PID 2204 wrote to memory of 2844 2204 CS SkinCHANGER.exe 79 PID 2204 wrote to memory of 2844 2204 CS SkinCHANGER.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\CS SkinCHANGER.exe"C:\Users\Admin\AppData\Local\Temp\CS SkinCHANGER.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\CS SkinCHANGER.exe"C:\Users\Admin\AppData\Local\Temp\CS SkinCHANGER.exe"2⤵PID:2844
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3932