Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-02-2024 11:02

General

  • Target

    9b80f5c9c1cd7d2d13d6c41d35e0c21f.exe

  • Size

    5.6MB

  • MD5

    9b80f5c9c1cd7d2d13d6c41d35e0c21f

  • SHA1

    6df7b192b2c140552feaf951090ca54a01640f77

  • SHA256

    62a1d37c063d4835060b531f903bc99d8f807e8f52077e6ece25c8f53af84d74

  • SHA512

    1b6a33ae5275653eaafeeba81e0cf1df466a0a6e66647f662765cccb28c122d1a9d22baa977f623ac6b094c0e064e434f6981261136343209de2b3375f9cd609

  • SSDEEP

    98304:jO2z45deXEXN1NLNsI2xebYryeeKQsJ4rPB2EAV5ZEseq3q9/A7Co8+klmxKw:i2z45XXN1T2xebYpeKHJwP0KPq3kAmoF

Malware Config

Signatures

  • Panda Stealer payload 3 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

  • Shurk Stealer payload 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b80f5c9c1cd7d2d13d6c41d35e0c21f.exe
    "C:\Users\Admin\AppData\Local\Temp\9b80f5c9c1cd7d2d13d6c41d35e0c21f.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:2940

Network

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2940-0-0x0000000000770000-0x00000000010A5000-memory.dmp
    Filesize

    9.2MB

  • memory/2940-1-0x0000000001570000-0x0000000001571000-memory.dmp
    Filesize

    4KB

  • memory/2940-2-0x0000000001580000-0x0000000001581000-memory.dmp
    Filesize

    4KB

  • memory/2940-3-0x0000000000770000-0x00000000010A5000-memory.dmp
    Filesize

    9.2MB

  • memory/2940-29-0x0000000000770000-0x00000000010A5000-memory.dmp
    Filesize

    9.2MB