Overview

overview

10

Static

static

7

telegram_s...or.exe

windows7_x64

10

telegram_s...or.exe

windows10-2004_x64

10

telegram_s...ft.exe

windows7_x64

9

telegram_s...ft.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    telegram_soft.rar

  • Size

    70.9MB

  • Sample

    220227-hyl8rabha8

  • MD5

    ab007592b146666d8a8a47f3768cc375

  • SHA1

    58738bad6d11f86ed95be81070efc66e3ca78f89

  • SHA256

    57e399eee8e7310f54c728235115e9cf4cf84cd42095b9267620fe6af49e5ba8

  • SHA512

    883e3e92cca3c07bfed335d17e1b772ce5008f9e985bd1a9733363586bc15163095aada3ab7591d080ddc6b76c67e991098b9ab5bb92fd05e85169423d709af0

Score
10/10
pandastealerevasionpyinstallerspywarestealerthemidatrojan

Malware Config

Targets

    • Target

      telegram_soft/Activator.exe

    • Size

      2.9MB

    • MD5

      f18597c66c2170583ec174a7baa8d93b

    • SHA1

      c3917128a7da6ece2ef8dae83ea2d6a1d50d92a6

    • SHA256

      ec17568c233a62a0d6460b2234b818d91354de9b48005dcbc4454145a0f176c2

    • SHA512

      69c3ac1a9320749457d3ad5d8d71e0619097bc98977baf37eeebba1cb4247f1a46df92644ae3ce077e4b3f1cc96475f332534ddfb1e3829ff02787df36af66a9

    Score
    10/10
    pandastealerevasionspywarestealerthemidatrojan

    • Panda Stealer Payload

    • PandaStealer

      Panda Stealer is a fork of CollectorProject Stealer written in C++.

      stealerpandastealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      telegram_soft/telegram_soft.exe

    • Size

      68.6MB

    • MD5

      ee1154642153932ed0427aa0273f0edc

    • SHA1

      16b0a829d4e1ecaf04c8d7b4c2c7ba9fa40007f1

    • SHA256

      a1e2802eb55f371138e0e43d8062a3098ffff5058593fb566360971d49810e2e

    • SHA512

      16e3329d52dcbe3eccfae8f38efa5e8627defebfb700223524e2205b98056c71b34c31d23db8a98449f3d558337ad994702fe999a81e286eafb7ae75a4a059f7

    Score
    10/10
    evasionthemidatrojanpandastealerstealer

    • Panda Stealer Payload

    • PandaStealer

      Panda Stealer is a fork of CollectorProject Stealer written in C++.

      stealerpandastealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

7
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

8
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks