Overview

overview

10

Static

static

3

Setup app.exe

windows7-x64

10

Setup app.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    232s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    19-06-2023 18:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup app.exe

  • Size

    8.5MB

  • MD5

    3d1b6eebe4f703befa68842a2d0e9cb4

  • SHA1

    df688e6cf11742bf8f6a65dee4bd52758f33660d

  • SHA256

    ef9c84f01fb46f8ffc7829abc2b0de296fc2dc8ff93eee949c5f2171092b70da

  • SHA512

    8d4844ee5de6e01336f9a67e64efd10ee305173a54dbf945a41fc5e0d71e6195b70127c9345069cdd816f07aa78021da2bfa3049f15831b07888844e50f4fd9c

  • SSDEEP

    196608:35OllhOTapKB1erCbptqBYHvTYTVHJack+YlGlSRRbCvY:35WlhOTapG1erqpICHvTMacJYlTFP

Score
10/10
pandastealerstealer

Malware Config

Signatures

  • Panda Stealer payload 3 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

    stealerpandastealer
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup app.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup app.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
      "C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\Setup app.exe" org.develnext.jphp.ext.javafx.FXLauncher
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\SysWOW64\explorer.exe
        explorer C:\Users\Admin\AppData\Local\Temp\Service64.exe
        3⤵
          PID:520
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Users\Admin\AppData\Local\Temp\Service64.exe
        "C:\Users\Admin\AppData\Local\Temp\Service64.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:612
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          3⤵
            PID:1968
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            3⤵
              PID:300

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Service64.exe
          Filesize

          1.5MB

          MD5

          c845efe0b7345f8a3bcfa5f7a5681b9b

          SHA1

          f603aa58a11dc002161180b401e998ee7c2794ff

          SHA256

          cb058d57e98615b394f8cdf007049b606781570cf7647b32cb7d100c651146d4

          SHA512

          ac2478188aa2b57a147a38a0c344c9e3112b89a85d92750de61c267668ee9e6e3e208572456939c70559087d7fb32a8a199471f7a2a0d599b2cd83b9dd7f57dc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Service64.exe
          Filesize

          1.5MB

          MD5

          c845efe0b7345f8a3bcfa5f7a5681b9b

          SHA1

          f603aa58a11dc002161180b401e998ee7c2794ff

          SHA256

          cb058d57e98615b394f8cdf007049b606781570cf7647b32cb7d100c651146d4

          SHA512

          ac2478188aa2b57a147a38a0c344c9e3112b89a85d92750de61c267668ee9e6e3e208572456939c70559087d7fb32a8a199471f7a2a0d599b2cd83b9dd7f57dc

          Download Submit

        • memory/300-223-0x0000000000400000-0x00000000004A3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/300-222-0x0000000000400000-0x00000000004A3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/300-220-0x0000000000400000-0x00000000004A3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/1368-54-0x0000000000400000-0x0000000000415000-memory.dmp

          Filesize

          84KB

          Download

        • memory/2040-157-0x00000000002F0000-0x00000000002F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2040-170-0x00000000002F0000-0x00000000002F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2040-128-0x00000000002F0000-0x00000000002F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2040-130-0x00000000002F0000-0x00000000002F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2040-131-0x0000000000320000-0x000000000032A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2040-132-0x0000000000320000-0x000000000032A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2040-133-0x0000000000320000-0x000000000032A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2040-134-0x0000000000320000-0x000000000032A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2040-122-0x00000000002F0000-0x00000000002F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2040-160-0x0000000000320000-0x000000000032A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2040-161-0x00000000002F0000-0x00000000002F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2040-124-0x00000000002F0000-0x00000000002F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2040-187-0x00000000002F0000-0x00000000002F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2040-190-0x0000000000320000-0x000000000032A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2040-191-0x0000000000320000-0x000000000032A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2040-208-0x00000000002F0000-0x00000000002F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2040-209-0x00000000002F0000-0x00000000002F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2040-121-0x00000000002F0000-0x00000000002F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2040-119-0x0000000000320000-0x000000000032A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2040-118-0x0000000000320000-0x000000000032A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2040-117-0x0000000000320000-0x000000000032A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2040-84-0x00000000002F0000-0x00000000002F1000-memory.dmp

          Filesize

          4KB

          Download