Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5f6c2b356e...e3.exe

windows7_x64

10

5f6c2b356e...e3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    62s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    17/04/2022, 14:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3.exe

  • Size

    799KB

  • MD5

    9253c5f51186dc128a7187440cfd2b3f

  • SHA1

    9fc815826ef4a99920b40a504603be1947506cd3

  • SHA256

    5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3

  • SHA512

    6a575dd843babdb1690047c5f16593626c6a5dcdbf030aed18798fe60a1e3772349b4a202a89134e7dcc6b39236e19a67fd82a279c9ce8e09f88f090acabc6ba

Score
10/10
pandastealerspywarestealer

Malware Config

Signatures

  • Panda Stealer Payload 5 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

    stealerpandastealer
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3.exe
    "C:\Users\Admin\AppData\Local\Temp\5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\load.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:272
      • C:\Users\Admin\AppData\Roaming\lf2020.exe
        lf2020.exe -password -dC:\Users\Admin\AppData\Roaming
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:960
        • C:\Users\Admin\AppData\Roaming\1642039920_MT.exe
          "C:\Users\Admin\AppData\Roaming\1642039920_MT.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1708

Network

  • flag-us
    DNS
    upaste.me
    1642039920_MT.exe
    Remote address:
    8.8.8.8:53
    Request
    upaste.me
    IN A
    Response
    upaste.me
    IN A
    104.21.68.191
    upaste.me
    IN A
    172.67.198.9
  • flag-us
    GET
    http://upaste.me/r/4040523075fb98d9f
    1642039920_MT.exe
    Remote address:
    104.21.68.191:80
    Request
    GET /r/4040523075fb98d9f HTTP/1.1
    User-Agent: KBDPP
    Host: upaste.me
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sun, 17 Apr 2022 14:25:03 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sun, 17 Apr 2022 15:25:03 GMT
    Location: https://upaste.me/r/4040523075fb98d9f
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qjtWfa4oKsbgpetCDICBnOzQBitCbvJQrpdJ5v6XpuU5pk2yKdgDpXMjMCtAJTCOmJ8zWSwk9UnHzqzWoifQamkknnoGWwd9LmGHel3aqE7BYmAoNLkYWp2jmKI%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 6fd5d3ec6b6b2e08-BRU
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
  • flag-us
    GET
    https://upaste.me/r/4040523075fb98d9f
    1642039920_MT.exe
    Remote address:
    104.21.68.191:443
    Request
    GET /r/4040523075fb98d9f HTTP/1.1
    User-Agent: KBDPP
    Connection: Keep-Alive
    Host: upaste.me
    Response
    HTTP/1.1 404 Not Found
    Date: Sun, 17 Apr 2022 14:25:17 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: PHPSESSID=bh7gd951s1invsh4pvg623hobl; path=/
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Expires: Sun, 24 April 2022 14:25:17 UTC
    Last-Modified: Tue, 7 September 2021 17:47:48
    Location: /maintenance
    CF-Cache-Status: DYNAMIC
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=s2NeQoLxNQOAwmX70YnXedMN1mcWVE3tRRrx5zUFAxGnyD0cM7QX3c96%2B5pLYgSb46V3yRQ7dVfcIgp7ko4hkfz5uTeyVaLoj%2FKs9tvKUmq0q8HLVdRTr0YxbEc%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 6fd5d4440d652e08-BRU
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
  • flag-us
    DNS
    cocojambo.collector-steal.ga
    1642039920_MT.exe
    Remote address:
    8.8.8.8:53
    Request
    cocojambo.collector-steal.ga
    IN A
    Response
  • 104.21.68.191:80
    http://upaste.me/r/4040523075fb98d9f
    http
    1642039920_MT.exe
    333 B
     1.5kB
     5
    4

    HTTP Request

    GET http://upaste.me/r/4040523075fb98d9f

    HTTP Response

    301
  • 104.21.68.191:443
    https://upaste.me/r/4040523075fb98d9f
    tls, http
    1642039920_MT.exe
    774 B
     4.4kB
     8
    10

    HTTP Request

    GET https://upaste.me/r/4040523075fb98d9f

    HTTP Response

    404
  • 8.8.8.8:53
    upaste.me
    dns
    1642039920_MT.exe
    55 B
     87 B
     1
    1

    DNS Request

    upaste.me

    DNS Response

    104.21.68.191
    172.67.198.9

  • 8.8.8.8:53
    cocojambo.collector-steal.ga
    dns
    1642039920_MT.exe
    74 B
     74 B
     1
    1

    DNS Request

    cocojambo.collector-steal.ga

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\1642039920_MT.exe
    Filesize

    655KB

    MD5

    ef2170ccb225c935e33690c0412b5573

    SHA1

    ac3ee92aaea356f9a70c6d167ac08e00dd0a7aad

    SHA256

    939572b13c1805516ee3ffb0f76c147324037a260cdc672317ac7af67bd459a2

    SHA512

    af9b39f67fd2f1a0b0e5668dd444bbe9eb0848ca64b6c33a0e88ac43669f67f228772dc8726ad3ff5a15afc1ec77c0b9b9af550c4b1813d53f0b96a1fe560f88

    Download Submit

  • C:\Users\Admin\AppData\Roaming\lf2020.exe
    Filesize

    610KB

    MD5

    858d997329a6f796d201b6e1b048d2d6

    SHA1

    9b41213b72c6868ef9873b0985dd9dd9e17d041d

    SHA256

    5946c40881fc9492f0cd910423cd26cd7eefd21599d91356858bc25fc55e2b47

    SHA512

    c48a553e14596b6a38ae213bc45a2334c5f947dab05cfc5375b0a71083e99fbeb60df3924d5c151efd242408187396ccc5a1c68dabb8056dbd2ef856cfcc362a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\lf2020.exe
    Filesize

    610KB

    MD5

    858d997329a6f796d201b6e1b048d2d6

    SHA1

    9b41213b72c6868ef9873b0985dd9dd9e17d041d

    SHA256

    5946c40881fc9492f0cd910423cd26cd7eefd21599d91356858bc25fc55e2b47

    SHA512

    c48a553e14596b6a38ae213bc45a2334c5f947dab05cfc5375b0a71083e99fbeb60df3924d5c151efd242408187396ccc5a1c68dabb8056dbd2ef856cfcc362a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\load.bat
    Filesize

    43B

    MD5

    94ed6467cd5bf952dfa0c72a4a48268c

    SHA1

    4d2d1b0072a95e3cb01fe7408a5aeb1023210c5d

    SHA256

    4a5f631da42d3ea46dcfb71351b55e0cf716a1c9704f48c0f3a83aa10e26715b

    SHA512

    0b934f5a249790a41c53d5385f7c9af2fce844acb6c89c1709906658858f1c91d93e11b9c303ee24134cfaf6373dee29950409e58c94655114714e054861177b

    Download Submit

  • \Users\Admin\AppData\Roaming\1642039920_MT.exe
    Filesize

    655KB

    MD5

    ef2170ccb225c935e33690c0412b5573

    SHA1

    ac3ee92aaea356f9a70c6d167ac08e00dd0a7aad

    SHA256

    939572b13c1805516ee3ffb0f76c147324037a260cdc672317ac7af67bd459a2

    SHA512

    af9b39f67fd2f1a0b0e5668dd444bbe9eb0848ca64b6c33a0e88ac43669f67f228772dc8726ad3ff5a15afc1ec77c0b9b9af550c4b1813d53f0b96a1fe560f88

    Download Submit

  • \Users\Admin\AppData\Roaming\1642039920_MT.exe
    Filesize

    655KB

    MD5

    ef2170ccb225c935e33690c0412b5573

    SHA1

    ac3ee92aaea356f9a70c6d167ac08e00dd0a7aad

    SHA256

    939572b13c1805516ee3ffb0f76c147324037a260cdc672317ac7af67bd459a2

    SHA512

    af9b39f67fd2f1a0b0e5668dd444bbe9eb0848ca64b6c33a0e88ac43669f67f228772dc8726ad3ff5a15afc1ec77c0b9b9af550c4b1813d53f0b96a1fe560f88

    Download Submit

  • \Users\Admin\AppData\Roaming\1642039920_MT.exe
    Filesize

    655KB

    MD5

    ef2170ccb225c935e33690c0412b5573

    SHA1

    ac3ee92aaea356f9a70c6d167ac08e00dd0a7aad

    SHA256

    939572b13c1805516ee3ffb0f76c147324037a260cdc672317ac7af67bd459a2

    SHA512

    af9b39f67fd2f1a0b0e5668dd444bbe9eb0848ca64b6c33a0e88ac43669f67f228772dc8726ad3ff5a15afc1ec77c0b9b9af550c4b1813d53f0b96a1fe560f88

    Download Submit

  • \Users\Admin\AppData\Roaming\1642039920_MT.exe
    Filesize

    655KB

    MD5

    ef2170ccb225c935e33690c0412b5573

    SHA1

    ac3ee92aaea356f9a70c6d167ac08e00dd0a7aad

    SHA256

    939572b13c1805516ee3ffb0f76c147324037a260cdc672317ac7af67bd459a2

    SHA512

    af9b39f67fd2f1a0b0e5668dd444bbe9eb0848ca64b6c33a0e88ac43669f67f228772dc8726ad3ff5a15afc1ec77c0b9b9af550c4b1813d53f0b96a1fe560f88

    Download Submit

  • \Users\Admin\AppData\Roaming\lf2020.exe
    Filesize

    610KB

    MD5

    858d997329a6f796d201b6e1b048d2d6

    SHA1

    9b41213b72c6868ef9873b0985dd9dd9e17d041d

    SHA256

    5946c40881fc9492f0cd910423cd26cd7eefd21599d91356858bc25fc55e2b47

    SHA512

    c48a553e14596b6a38ae213bc45a2334c5f947dab05cfc5375b0a71083e99fbeb60df3924d5c151efd242408187396ccc5a1c68dabb8056dbd2ef856cfcc362a

    Download Submit

  • memory/1880-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.