Malware Analysis Report

2024-09-22 15:29

Sample ID 240201-n681dacgg3
Target 86d758c6abd61b00327d4325bc91833b
SHA256 a94ffe5bd707888c7a28014793d9e529b77ac4597b7ebb4eabc7cc188407a37d
Tags
pandastealer evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a94ffe5bd707888c7a28014793d9e529b77ac4597b7ebb4eabc7cc188407a37d

Threat Level: Known bad

The file 86d758c6abd61b00327d4325bc91833b was found to be: Known bad.

Malicious Activity Summary

pandastealer evasion spyware stealer

Panda Stealer payload

PandaStealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Reads user/profile data of web browsers

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-02-01 12:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 12:01

Reported

2024-02-01 12:04

Platform

win10v2004-20231215-en

Max time kernel

137s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe

"C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 collector-node.us udp
US 8.8.8.8:53 collector-steal.ga udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/3952-0-0x0000000000BD0000-0x00000000013EC000-memory.dmp

memory/3952-1-0x0000000000BD0000-0x00000000013EC000-memory.dmp

memory/3952-2-0x0000000077B24000-0x0000000077B26000-memory.dmp

memory/3952-3-0x0000000000BD0000-0x00000000013EC000-memory.dmp

memory/3952-4-0x0000000000BD0000-0x00000000013EC000-memory.dmp

memory/3952-5-0x0000000000BD0000-0x00000000013EC000-memory.dmp

memory/3952-6-0x0000000000BD0000-0x00000000013EC000-memory.dmp

memory/3952-7-0x00000000018B0000-0x00000000018B1000-memory.dmp

memory/3952-8-0x0000000000B20000-0x0000000000B21000-memory.dmp

memory/3952-9-0x0000000001890000-0x0000000001891000-memory.dmp

memory/3952-10-0x0000000000BD0000-0x00000000013EC000-memory.dmp

memory/3952-12-0x0000000001880000-0x0000000001881000-memory.dmp

memory/3952-11-0x00000000018A0000-0x00000000018A1000-memory.dmp

memory/3952-13-0x00000000018C0000-0x00000000018C1000-memory.dmp

memory/3952-37-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/3952-49-0x0000000000BD0000-0x00000000013EC000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 12:01

Reported

2024-02-01 12:04

Platform

win7-20231215-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe

"C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 collector-node.us udp
US 8.8.8.8:53 collector-steal.ga udp

Files

memory/1700-0-0x00000000008C0000-0x00000000010DC000-memory.dmp

memory/1700-1-0x00000000008C0000-0x00000000010DC000-memory.dmp

memory/1700-2-0x0000000076FD0000-0x0000000076FD2000-memory.dmp

memory/1700-3-0x00000000008C0000-0x00000000010DC000-memory.dmp

memory/1700-4-0x00000000008C0000-0x00000000010DC000-memory.dmp

memory/1700-5-0x00000000008C0000-0x00000000010DC000-memory.dmp

memory/1700-6-0x00000000008C0000-0x00000000010DC000-memory.dmp

memory/1700-8-0x00000000027F0000-0x00000000027F1000-memory.dmp

memory/1700-7-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/1700-9-0x0000000002800000-0x0000000002801000-memory.dmp

memory/1700-12-0x0000000000360000-0x0000000000361000-memory.dmp

memory/1700-11-0x00000000027D0000-0x00000000027D1000-memory.dmp

memory/1700-10-0x0000000000380000-0x0000000000381000-memory.dmp

memory/1700-14-0x00000000008C0000-0x00000000010DC000-memory.dmp

memory/1700-19-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/1700-24-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/1700-26-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/1700-29-0x0000000000390000-0x0000000000391000-memory.dmp

memory/1700-32-0x00000000008A0000-0x00000000008A1000-memory.dmp

memory/1700-31-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/1700-30-0x0000000000600000-0x0000000000601000-memory.dmp

memory/1700-28-0x0000000000370000-0x0000000000371000-memory.dmp

memory/1700-27-0x0000000000350000-0x0000000000351000-memory.dmp

memory/1700-25-0x0000000000340000-0x0000000000341000-memory.dmp

memory/1700-23-0x00000000027B0000-0x00000000027B1000-memory.dmp

memory/1700-22-0x00000000027C0000-0x00000000027C1000-memory.dmp

memory/1700-40-0x00000000008C0000-0x00000000010DC000-memory.dmp