Overview

overview

10

Static

static

1

67bb394e3f...68.exe

windows7-x64

10

67bb394e3f...68.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    181s
  • max time network
    187s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 10:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67bb394e3f08886c8efcbb095326e668.exe

  • Size

    1016KB

  • MD5

    67bb394e3f08886c8efcbb095326e668

  • SHA1

    985f91f46a51a1aba14fe54eff745c1297c95059

  • SHA256

    f98599fb97f7bf78335f2be4b6e1d702dc2f2a5d3ae6ed3e5241d76f7d7a916d

  • SHA512

    02810c59a1b13fb42dc08ab4f742866e53ef0f67af3e4c5dffb7726aa348552eb324dee0bf317b24b9725af12d69b1d6e5509f293f0e8150bc2eddf934c21d18

  • SSDEEP

    24576:KqzOi5P5H/PPt06BU2YjaRYHIV+s/mjlZ:KqzOKR3y6u2BWk+ZjlZ

Score
10/10
pandastealershurkagilenetinfostealerstealer

Malware Config

Signatures

  • Panda Stealer payload 4 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

    stealerpandastealer
  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer payload 4 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67bb394e3f08886c8efcbb095326e668.exe
    "C:\Users\Admin\AppData\Local\Temp\67bb394e3f08886c8efcbb095326e668.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2576-4-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2576-6-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2576-8-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2576-16-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2832-0-0x0000000000A20000-0x0000000000B22000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2832-1-0x0000000074190000-0x000000007487E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2832-2-0x00000000004D0000-0x0000000000510000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2832-3-0x0000000001F30000-0x0000000001F40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2832-7-0x0000000074190000-0x000000007487E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2832-9-0x0000000074190000-0x000000007487E000-memory.dmp

    Filesize

    6.9MB

    Download