Malware Analysis Report

2024-09-22 15:32

Sample ID 231227-b83vxsghh5
Target 9bdffeeb52015df1699b7b0f0aa03cf4
SHA256 57ad383c47b6423e48e44f750afc38f4e837db3c62eb59e10743d241625259e2
Tags
pandastealer spyware stealer vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57ad383c47b6423e48e44f750afc38f4e837db3c62eb59e10743d241625259e2

Threat Level: Known bad

The file 9bdffeeb52015df1699b7b0f0aa03cf4 was found to be: Known bad.

Malicious Activity Summary

pandastealer spyware stealer vmprotect

PandaStealer

Panda Stealer payload

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

VMProtect packed file

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-12-27 01:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-27 01:49

Reported

2024-01-07 10:12

Platform

win7-20231215-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe

"C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe"

C:\Users\Admin\AppData\Local\Temp\Furios.exe

"C:\Users\Admin\AppData\Local\Temp\Furios.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 f0565988.xsph.ru udp
RU 141.8.197.42:80 f0565988.xsph.ru tcp

Files

\Users\Admin\AppData\Local\Temp\Furios.exe

MD5 cc774377c065cf2e1dd47d5bf5e3beb9
SHA1 f0850522ae46f3f8eb89ddabb3fa91b967c32aa0
SHA256 dc8008b18dd663ced8773efa2fc2ed98973e209e794ca0eb726a796a2077a749
SHA512 4321a9bdddc7a8813d6cdaab68e8b57fb5d403493b209a2ab243e84bdf2f4095368cd62f497208609ae5abe59e8387eca9d4e9186048baf11696052acf9fd324

\Users\Admin\AppData\Local\Temp\Furios.exe

MD5 4d19ab1484e98cb170e50f9bdc590cd6
SHA1 928768f326be44cd2ff9df19c05e947e622c3ec7
SHA256 bc7a11430594ef79f1e1ffef9d53ee903cfeffc5af57c40f716757611987c3af
SHA512 2e068a0faed45af936b7eca338d426d0ffa98046ac56459bd183c85dc2a6913dc245809701f1f7002e4ea944021f9e979141c401485962ee71cc2d59b1b2f3ac

C:\Users\Admin\AppData\Local\Temp\Furios.exe

MD5 ddd875cb5f990add95e0fdf4c6746020
SHA1 942ee8a43f51e0595e0943e0b101ce0b2010b915
SHA256 fb0aaad601b07844f94652f3af4e935be5c2ca515667c962ac623c0ee6076e0f
SHA512 829bb6ba8bd9016dea92907a688bd401e9aa6322adcd73e7c13796fbc9372ac7da3ae305b82f9edf03401649eb413767333500159766b39d1b328c3203013bfe

C:\Users\Admin\AppData\Local\Temp\Furios.exe

MD5 273caeb949b96b957221d3deec990c38
SHA1 8b510a227480f3f1d149817e82bc35ae5d064672
SHA256 9c4b9ae3df3c72bd3e3a4ad5b0b800e116ab4b0b1d0dd0bd33eb1b80daf1fe12
SHA512 87773afc9a503ffcccdeb80240c98f5e31c36aaa99e6c9ce5bb3d6ede14ab596d09557fe9e7edb549ece519b6eba1bedb0a1fbebb247fad23a89663d709105b1

C:\Users\Admin\AppData\Local\Temp\Furios.exe

MD5 872e9aea7b62b7235c3554468d7cf777
SHA1 d3eb44184a1b04d04b0f3f6404360419b73405a3
SHA256 f1b5f9ec19a904d22cd796f0e47547e9c408cf7faeb15ccb76d24ad587c77e56
SHA512 216cf9b65822023828ecc0a16107fe9d3e5a32022ceeacfbaea9d51410b98ef160d5602af9cf712c7ac80c48d2bb48cee492512f37313c6554994fe8de2e8a3b

\Users\Admin\AppData\Local\Temp\Furios.exe

MD5 7d808ed46e13d92dfb0aa54d910b931c
SHA1 4181e6d26fcc96df3c899c07615c9856a947ce36
SHA256 60762ebb147a22034f88378b1bae255c2bb7dc9f00d65a5f22ca9e6f98955a8e
SHA512 18fccafd683ac8012bccbbfc457fdaa109db2c38740e21c21f9dd3fbf70396191b455c1cf359599e47857518625b7adadc2c4440c12ff67277ff9b23f17ea532

memory/2408-19-0x0000000001230000-0x0000000001BF4000-memory.dmp

memory/2408-29-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2408-32-0x0000000077810000-0x0000000077811000-memory.dmp

memory/2408-30-0x0000000001230000-0x0000000001BF4000-memory.dmp

memory/2408-27-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2408-25-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2408-24-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2408-22-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2408-20-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2408-55-0x0000000001230000-0x0000000001BF4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-27 01:49

Reported

2024-01-07 10:13

Platform

win10v2004-20231215-en

Max time kernel

164s

Max time network

199s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe

"C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe"

C:\Users\Admin\AppData\Local\Temp\Furios.exe

"C:\Users\Admin\AppData\Local\Temp\Furios.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 f0565988.xsph.ru udp
RU 141.8.197.42:80 f0565988.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Furios.exe

MD5 df4e68852040ee5abdd047c8d358bcfd
SHA1 b2d077578e9d4326b47d5b2002ea447209e4f32f
SHA256 3c4747711e6ea57f84af33e1676740a0a25f899283ee994cf23fe3aaf55aed59
SHA512 53c888abb92207efe8590b0d7fb790d04681da466bb8d8a0b24548213f3c69d3487f42a4cbcb4eed2ce53b14644af1f6b713a3ea5dff9d05f8cac835ea802b0d

memory/3996-11-0x00000000003D0000-0x0000000000D94000-memory.dmp

memory/3996-12-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

memory/3996-13-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

memory/3996-14-0x00000000003D0000-0x0000000000D94000-memory.dmp

memory/3996-40-0x00000000003D0000-0x0000000000D94000-memory.dmp