Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-04-2022 09:19
Static task
static1
Behavioral task
behavioral1
Sample
a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exe
Resource
win10v2004-20220414-en
General
-
Target
a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exe
-
Size
1.6MB
-
MD5
04a783a64f41dad6086b9d88110dec8e
-
SHA1
8e01e6682475c62ae4ba56456002ff974598eeda
-
SHA256
a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b
-
SHA512
6e6f1ae4c47919cf701ae3312286a45a680ad1c11f4239a0de6c8698fd74d20ae48b5fa4d2c7ccb2523d53e5427b1ea34976ef6081bf142ab75ebb1a9e6074b2
Malware Config
Signatures
-
Panda Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3828-131-0x0000000000330000-0x0000000000716000-memory.dmp family_pandastealer -
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exepid Process 3828 a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exepid Process 3828 a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exe 3828 a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exe 3828 a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exe 3828 a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exe"C:\Users\Admin\AppData\Local\Temp\a605976f5e046096af71c8fbdc2fb494b8b0af7017d7e1e54ca2d542492d1c4b.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3828