Analysis
-
max time kernel
85s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2023 22:03
Behavioral task
behavioral1
Sample
fb626420f5fe5910a943314e2ec9f6a7.exe
Resource
win7-20231215-en
General
-
Target
fb626420f5fe5910a943314e2ec9f6a7.exe
-
Size
2.9MB
-
MD5
fb626420f5fe5910a943314e2ec9f6a7
-
SHA1
499305c3ac90d160ce9a42f31236fbe3c966892d
-
SHA256
fb0ccb6e367ebaa52874292e05adae9cacafb2b42a8526bf1cb6028e753b9b7d
-
SHA512
96aa1f3e0b151baf1d3adbe109db36b32907ba54859fa6dfd96bca2a1b88db12cff367eb0f8860af0fc39d2ac0c3a8d4ce0d3523edb40fb84f25eda45a4541e6
-
SSDEEP
49152:5f5PFdGyL17PWkY3wfN8LBO881oUkii9Ps4c2vCSK3o1zRaXV+Wp9CjMIJH+eRui:5kuzWkNN8LBOrjY0QKUk7yVkeRL
Malware Config
Extracted
pandastealer
1.11
http://f0566299.xsph.ru
Signatures
-
Panda Stealer payload 9 IoCs
resource yara_rule behavioral2/memory/4276-3-0x0000000000B20000-0x000000000127A000-memory.dmp family_pandastealer behavioral2/memory/4276-4-0x0000000000B20000-0x000000000127A000-memory.dmp family_pandastealer behavioral2/memory/4276-5-0x0000000000B20000-0x000000000127A000-memory.dmp family_pandastealer behavioral2/memory/4276-6-0x0000000000B20000-0x000000000127A000-memory.dmp family_pandastealer behavioral2/memory/4276-7-0x0000000000B20000-0x000000000127A000-memory.dmp family_pandastealer behavioral2/memory/4276-8-0x0000000000B20000-0x000000000127A000-memory.dmp family_pandastealer behavioral2/memory/4276-9-0x0000000000B20000-0x000000000127A000-memory.dmp family_pandastealer behavioral2/memory/4276-39-0x0000000000B20000-0x000000000127A000-memory.dmp family_pandastealer behavioral2/memory/4276-47-0x0000000000B20000-0x000000000127A000-memory.dmp family_pandastealer -
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fb626420f5fe5910a943314e2ec9f6a7.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fb626420f5fe5910a943314e2ec9f6a7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fb626420f5fe5910a943314e2ec9f6a7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4276-0-0x0000000000B20000-0x000000000127A000-memory.dmp themida behavioral2/memory/4276-2-0x0000000000B20000-0x000000000127A000-memory.dmp themida behavioral2/memory/4276-3-0x0000000000B20000-0x000000000127A000-memory.dmp themida behavioral2/memory/4276-4-0x0000000000B20000-0x000000000127A000-memory.dmp themida behavioral2/memory/4276-5-0x0000000000B20000-0x000000000127A000-memory.dmp themida behavioral2/memory/4276-6-0x0000000000B20000-0x000000000127A000-memory.dmp themida behavioral2/memory/4276-7-0x0000000000B20000-0x000000000127A000-memory.dmp themida behavioral2/memory/4276-8-0x0000000000B20000-0x000000000127A000-memory.dmp themida behavioral2/memory/4276-9-0x0000000000B20000-0x000000000127A000-memory.dmp themida behavioral2/memory/4276-39-0x0000000000B20000-0x000000000127A000-memory.dmp themida behavioral2/memory/4276-47-0x0000000000B20000-0x000000000127A000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fb626420f5fe5910a943314e2ec9f6a7.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4276 fb626420f5fe5910a943314e2ec9f6a7.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4276 fb626420f5fe5910a943314e2ec9f6a7.exe 4276 fb626420f5fe5910a943314e2ec9f6a7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb626420f5fe5910a943314e2ec9f6a7.exe"C:\Users\Admin\AppData\Local\Temp\fb626420f5fe5910a943314e2ec9f6a7.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4276
Network
-
Remote address:8.8.8.8:53Request146.78.124.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request186.178.17.96.in-addr.arpaIN PTRResponse186.178.17.96.in-addr.arpaIN PTRa96-17-178-186deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request186.178.17.96.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request19.53.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request19.53.126.40.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requestf0566299.xsph.ruIN AResponsef0566299.xsph.ruIN A141.8.197.42
-
Remote address:141.8.197.42:80RequestPOST /collect.php HTTP/1.1
Content-Type: multipart/form-data; boundary=SendFileZIPBoundary
User-Agent: uploader
Host: f0566299.xsph.ru
Content-Length: 436508
Connection: Keep-Alive
Cache-Control: no-cache
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request42.197.8.141.in-addr.arpaIN PTRResponse42.197.8.141.in-addr.arpaIN PTRtechproxyfromsh
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request195.233.44.23.in-addr.arpaIN PTRResponse195.233.44.23.in-addr.arpaIN PTRa23-44-233-195deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request195.233.44.23.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request195.233.44.23.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.160.77.104.in-addr.arpaIN PTRResponse28.160.77.104.in-addr.arpaIN PTRa104-77-160-28deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301285_1YX3CCWTOZVY6EU1J&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301285_1YX3CCWTOZVY6EU1J&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 333147
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5B67C0A6759345CE94067F4A811D757B Ref B: LON04EDGE0914 Ref C: 2024-01-09T21:28:18Z
date: Tue, 09 Jan 2024 21:28:18 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301641_15XCVCUU89WZACE51&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301641_15XCVCUU89WZACE51&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 297187
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E473148CC9874A3C97CB0C616CFC41F4 Ref B: LON04EDGE0914 Ref C: 2024-01-09T21:28:18Z
date: Tue, 09 Jan 2024 21:28:18 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301232_1SUK3KC676MXT5G7N&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301232_1SUK3KC676MXT5G7N&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 387682
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E3E0305359464957827646FCCF7A4802 Ref B: LON04EDGE0914 Ref C: 2024-01-09T21:28:18Z
date: Tue, 09 Jan 2024 21:28:18 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317300915_11PL293NENO2DA53I&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317300915_11PL293NENO2DA53I&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 275490
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9937E1284DFD45789829A36B439EC6A3 Ref B: LON04EDGE0914 Ref C: 2024-01-09T21:28:18Z
date: Tue, 09 Jan 2024 21:28:18 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301348_1IGED3LPK164UYK70&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301348_1IGED3LPK164UYK70&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 288710
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: ECAA7BB7045543FFBF3176951D6D9F85 Ref B: LON04EDGE0914 Ref C: 2024-01-09T21:28:18Z
date: Tue, 09 Jan 2024 21:28:18 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301694_17Y0IRSKKQEXFDPLC&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301694_17Y0IRSKKQEXFDPLC&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 339880
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F043AB29C3E844369EB5C9FF5DEBA581 Ref B: LON04EDGE0914 Ref C: 2024-01-09T21:28:26Z
date: Tue, 09 Jan 2024 21:28:26 GMT
-
Remote address:8.8.8.8:53Request59.128.231.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request16.234.44.23.in-addr.arpaIN PTRResponse16.234.44.23.in-addr.arpaIN PTRa23-44-234-16deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request16.234.44.23.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request185.178.17.96.in-addr.arpaIN PTRResponse185.178.17.96.in-addr.arpaIN PTRa96-17-178-185deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request23.236.111.52.in-addr.arpaIN PTRResponse
-
156 B 3
-
106.8kB 1.9kB 82 41
HTTP Request
POST http://f0566299.xsph.ru/collect.php -
1.5kB 8.2kB 17 13
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239317301694_17Y0IRSKKQEXFDPLC&pid=21.2&w=1080&h=1920&c=4tls, http273.4kB 2.0MB 1489 1478
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301285_1YX3CCWTOZVY6EU1J&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301641_15XCVCUU89WZACE51&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301232_1SUK3KC676MXT5G7N&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317300915_11PL293NENO2DA53I&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301348_1IGED3LPK164UYK70&pid=21.2&w=1080&h=1920&c=4HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301694_17Y0IRSKKQEXFDPLC&pid=21.2&w=1080&h=1920&c=4HTTP Response
200 -
1.5kB 8.2kB 17 12
-
1.5kB 8.8kB 20 16
-
1.5kB 10.2kB 20 16
-
72 B 158 B 1 1
DNS Request
146.78.124.51.in-addr.arpa
-
144 B 137 B 2 1
DNS Request
186.178.17.96.in-addr.arpa
DNS Request
186.178.17.96.in-addr.arpa
-
142 B 157 B 2 1
DNS Request
19.53.126.40.in-addr.arpa
DNS Request
19.53.126.40.in-addr.arpa
-
62 B 78 B 1 1
DNS Request
f0566299.xsph.ru
DNS Response
141.8.197.42
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 102 B 1 1
DNS Request
42.197.8.141.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.154.82.20.in-addr.arpa
-
216 B 137 B 3 1
DNS Request
195.233.44.23.in-addr.arpa
DNS Request
195.233.44.23.in-addr.arpa
DNS Request
195.233.44.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
28.160.77.104.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
71 B 157 B 1 1
DNS Request
59.128.231.4.in-addr.arpa
-
142 B 135 B 2 1
DNS Request
16.234.44.23.in-addr.arpa
DNS Request
16.234.44.23.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
185.178.17.96.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.236.111.52.in-addr.arpa