Analysis Overview
SHA256
a94ffe5bd707888c7a28014793d9e529b77ac4597b7ebb4eabc7cc188407a37d
Threat Level: Known bad
The file 86d758c6abd61b00327d4325bc91833b was found to be: Known bad.
Malicious Activity Summary
Panda Stealer payload
PandaStealer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Reads user/profile data of web browsers
Identifies Wine through registry keys
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-02-01 12:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-01 12:01
Reported
2024-02-01 12:04
Platform
win10v2004-20231215-en
Max time kernel
137s
Max time network
159s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PandaStealer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe
"C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector-node.us | udp |
| US | 8.8.8.8:53 | collector-steal.ga | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
memory/3952-0-0x0000000000BD0000-0x00000000013EC000-memory.dmp
memory/3952-1-0x0000000000BD0000-0x00000000013EC000-memory.dmp
memory/3952-2-0x0000000077B24000-0x0000000077B26000-memory.dmp
memory/3952-3-0x0000000000BD0000-0x00000000013EC000-memory.dmp
memory/3952-4-0x0000000000BD0000-0x00000000013EC000-memory.dmp
memory/3952-5-0x0000000000BD0000-0x00000000013EC000-memory.dmp
memory/3952-6-0x0000000000BD0000-0x00000000013EC000-memory.dmp
memory/3952-7-0x00000000018B0000-0x00000000018B1000-memory.dmp
memory/3952-8-0x0000000000B20000-0x0000000000B21000-memory.dmp
memory/3952-9-0x0000000001890000-0x0000000001891000-memory.dmp
memory/3952-10-0x0000000000BD0000-0x00000000013EC000-memory.dmp
memory/3952-12-0x0000000001880000-0x0000000001881000-memory.dmp
memory/3952-11-0x00000000018A0000-0x00000000018A1000-memory.dmp
memory/3952-13-0x00000000018C0000-0x00000000018C1000-memory.dmp
memory/3952-37-0x0000000000B40000-0x0000000000B41000-memory.dmp
memory/3952-49-0x0000000000BD0000-0x00000000013EC000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-01 12:01
Reported
2024-02-01 12:04
Platform
win7-20231215-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PandaStealer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe
"C:\Users\Admin\AppData\Local\Temp\86d758c6abd61b00327d4325bc91833b.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | collector-node.us | udp |
| US | 8.8.8.8:53 | collector-steal.ga | udp |
Files
memory/1700-0-0x00000000008C0000-0x00000000010DC000-memory.dmp
memory/1700-1-0x00000000008C0000-0x00000000010DC000-memory.dmp
memory/1700-2-0x0000000076FD0000-0x0000000076FD2000-memory.dmp
memory/1700-3-0x00000000008C0000-0x00000000010DC000-memory.dmp
memory/1700-4-0x00000000008C0000-0x00000000010DC000-memory.dmp
memory/1700-5-0x00000000008C0000-0x00000000010DC000-memory.dmp
memory/1700-6-0x00000000008C0000-0x00000000010DC000-memory.dmp
memory/1700-8-0x00000000027F0000-0x00000000027F1000-memory.dmp
memory/1700-7-0x00000000005F0000-0x00000000005F1000-memory.dmp
memory/1700-9-0x0000000002800000-0x0000000002801000-memory.dmp
memory/1700-12-0x0000000000360000-0x0000000000361000-memory.dmp
memory/1700-11-0x00000000027D0000-0x00000000027D1000-memory.dmp
memory/1700-10-0x0000000000380000-0x0000000000381000-memory.dmp
memory/1700-14-0x00000000008C0000-0x00000000010DC000-memory.dmp
memory/1700-19-0x00000000003A0000-0x00000000003A1000-memory.dmp
memory/1700-24-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/1700-26-0x00000000005D0000-0x00000000005D1000-memory.dmp
memory/1700-29-0x0000000000390000-0x0000000000391000-memory.dmp
memory/1700-32-0x00000000008A0000-0x00000000008A1000-memory.dmp
memory/1700-31-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/1700-30-0x0000000000600000-0x0000000000601000-memory.dmp
memory/1700-28-0x0000000000370000-0x0000000000371000-memory.dmp
memory/1700-27-0x0000000000350000-0x0000000000351000-memory.dmp
memory/1700-25-0x0000000000340000-0x0000000000341000-memory.dmp
memory/1700-23-0x00000000027B0000-0x00000000027B1000-memory.dmp
memory/1700-22-0x00000000027C0000-0x00000000027C1000-memory.dmp
memory/1700-40-0x00000000008C0000-0x00000000010DC000-memory.dmp