Analysis
-
max time kernel
142s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 14:28
Behavioral task
behavioral1
Sample
259ba80f7c7037230b07879101b44b8f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
259ba80f7c7037230b07879101b44b8f.exe
Resource
win10v2004-20231215-en
General
-
Target
259ba80f7c7037230b07879101b44b8f.exe
-
Size
2.9MB
-
MD5
259ba80f7c7037230b07879101b44b8f
-
SHA1
60863c8b196812a25a3b2d7e250eea68b9651f52
-
SHA256
54904014efdf534953531361ed0aa643ea2d40123aa3afa6e64f22f01e764d1a
-
SHA512
c451af4b9ebfdca65ce61c6f7b88fabc8077b24412470affbd22d3571caf2720e40d2b129e8c204ceb336390276f4ede4bea0cdcccb2dd9ceb49ccc8eadbce75
-
SSDEEP
49152:jP1EgdM40+5ESYQlQuYCo974yluQ3nCyaXyYRq46u2xRypnfdeVwe:tM4v1TU74yMQ3CQ6q46DRypfdeV5
Malware Config
Extracted
pandastealer
�1~o���k�}�����!>ڋ$����
http://�}�����!>ڋ$����
Extracted
pandastealer
1.11
http://a0565396.xsph.ru
Signatures
-
Panda Stealer payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/2332-3-0x0000000000240000-0x0000000000999000-memory.dmp family_pandastealer behavioral1/memory/2332-4-0x0000000000240000-0x0000000000999000-memory.dmp family_pandastealer behavioral1/memory/2332-5-0x0000000000240000-0x0000000000999000-memory.dmp family_pandastealer behavioral1/memory/2332-6-0x0000000000240000-0x0000000000999000-memory.dmp family_pandastealer behavioral1/memory/2332-7-0x0000000000240000-0x0000000000999000-memory.dmp family_pandastealer behavioral1/memory/2332-8-0x0000000000240000-0x0000000000999000-memory.dmp family_pandastealer behavioral1/memory/2332-9-0x0000000000240000-0x0000000000999000-memory.dmp family_pandastealer behavioral1/memory/2332-10-0x0000000000240000-0x0000000000999000-memory.dmp family_pandastealer -
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
259ba80f7c7037230b07879101b44b8f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 259ba80f7c7037230b07879101b44b8f.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
259ba80f7c7037230b07879101b44b8f.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 259ba80f7c7037230b07879101b44b8f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 259ba80f7c7037230b07879101b44b8f.exe -
Processes:
resource yara_rule behavioral1/memory/2332-0-0x0000000000240000-0x0000000000999000-memory.dmp themida behavioral1/memory/2332-2-0x0000000000240000-0x0000000000999000-memory.dmp themida behavioral1/memory/2332-3-0x0000000000240000-0x0000000000999000-memory.dmp themida behavioral1/memory/2332-4-0x0000000000240000-0x0000000000999000-memory.dmp themida behavioral1/memory/2332-5-0x0000000000240000-0x0000000000999000-memory.dmp themida behavioral1/memory/2332-6-0x0000000000240000-0x0000000000999000-memory.dmp themida behavioral1/memory/2332-7-0x0000000000240000-0x0000000000999000-memory.dmp themida behavioral1/memory/2332-8-0x0000000000240000-0x0000000000999000-memory.dmp themida behavioral1/memory/2332-9-0x0000000000240000-0x0000000000999000-memory.dmp themida behavioral1/memory/2332-10-0x0000000000240000-0x0000000000999000-memory.dmp themida -
Processes:
259ba80f7c7037230b07879101b44b8f.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 259ba80f7c7037230b07879101b44b8f.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
259ba80f7c7037230b07879101b44b8f.exepid process 2332 259ba80f7c7037230b07879101b44b8f.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2300 2332 WerFault.exe 259ba80f7c7037230b07879101b44b8f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
259ba80f7c7037230b07879101b44b8f.exedescription pid process target process PID 2332 wrote to memory of 2300 2332 259ba80f7c7037230b07879101b44b8f.exe WerFault.exe PID 2332 wrote to memory of 2300 2332 259ba80f7c7037230b07879101b44b8f.exe WerFault.exe PID 2332 wrote to memory of 2300 2332 259ba80f7c7037230b07879101b44b8f.exe WerFault.exe PID 2332 wrote to memory of 2300 2332 259ba80f7c7037230b07879101b44b8f.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\259ba80f7c7037230b07879101b44b8f.exe"C:\Users\Admin\AppData\Local\Temp\259ba80f7c7037230b07879101b44b8f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 1722⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2332-0-0x0000000000240000-0x0000000000999000-memory.dmpFilesize
7.3MB
-
memory/2332-1-0x0000000077850000-0x0000000077852000-memory.dmpFilesize
8KB
-
memory/2332-2-0x0000000000240000-0x0000000000999000-memory.dmpFilesize
7.3MB
-
memory/2332-3-0x0000000000240000-0x0000000000999000-memory.dmpFilesize
7.3MB
-
memory/2332-4-0x0000000000240000-0x0000000000999000-memory.dmpFilesize
7.3MB
-
memory/2332-5-0x0000000000240000-0x0000000000999000-memory.dmpFilesize
7.3MB
-
memory/2332-6-0x0000000000240000-0x0000000000999000-memory.dmpFilesize
7.3MB
-
memory/2332-7-0x0000000000240000-0x0000000000999000-memory.dmpFilesize
7.3MB
-
memory/2332-8-0x0000000000240000-0x0000000000999000-memory.dmpFilesize
7.3MB
-
memory/2332-9-0x0000000000240000-0x0000000000999000-memory.dmpFilesize
7.3MB
-
memory/2332-10-0x0000000000240000-0x0000000000999000-memory.dmpFilesize
7.3MB