Malware Analysis Report

2024-09-22 15:29

Sample ID 240214-re1fpsdg45
Target 9bdffeeb52015df1699b7b0f0aa03cf4
SHA256 57ad383c47b6423e48e44f750afc38f4e837db3c62eb59e10743d241625259e2
Tags
pandastealer spyware stealer vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57ad383c47b6423e48e44f750afc38f4e837db3c62eb59e10743d241625259e2

Threat Level: Known bad

The file 9bdffeeb52015df1699b7b0f0aa03cf4 was found to be: Known bad.

Malicious Activity Summary

pandastealer spyware stealer vmprotect

Panda Stealer payload

PandaStealer

Executes dropped EXE

VMProtect packed file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-02-14 14:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-14 14:07

Reported

2024-02-14 14:10

Platform

win7-20231215-en

Max time kernel

122s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe

"C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe"

C:\Users\Admin\AppData\Local\Temp\Furios.exe

"C:\Users\Admin\AppData\Local\Temp\Furios.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 f0565988.xsph.ru udp
RU 141.8.197.42:80 f0565988.xsph.ru tcp

Files

\Users\Admin\AppData\Local\Temp\Furios.exe

MD5 df4e68852040ee5abdd047c8d358bcfd
SHA1 b2d077578e9d4326b47d5b2002ea447209e4f32f
SHA256 3c4747711e6ea57f84af33e1676740a0a25f899283ee994cf23fe3aaf55aed59
SHA512 53c888abb92207efe8590b0d7fb790d04681da466bb8d8a0b24548213f3c69d3487f42a4cbcb4eed2ce53b14644af1f6b713a3ea5dff9d05f8cac835ea802b0d

\Users\Admin\AppData\Local\Temp\Furios.exe

MD5 e42cb0898af0e056a356548cee3b58d2
SHA1 ac8ad573413bb5892e9da066fa2e15058f39f93c
SHA256 5d37e10f87f93d2c4f37e421df9118e6c92ce852992c633d6ad64350bae8c4e8
SHA512 afa7f4522f0e0631ce5312ad7ef2e669e345b2b16cab71b1a7a2a1ca52e76711177096d5d00c4718972a50fc241ec7d88aea507e0d6e3ad2fa54f1b2a1241865

\Users\Admin\AppData\Local\Temp\Furios.exe

MD5 8920b74597608f478fc7fe2134a7cfb0
SHA1 fc3e1ec5168004dd8ec43329e8e697b281eb4b72
SHA256 9a5023b2a29acadd79298c447f80fde5289f7c894c20015e9b957e0c2a95f75d
SHA512 39bdaa0145ad0e639d0659dd2b7161b60f8db06891f3028895f49c42587d9eadb7794d6be61a5756bccc2f0c82a2a3c956a1f78bf05beb5e13548527ff4dd566

memory/2792-19-0x0000000000160000-0x0000000000B24000-memory.dmp

memory/2792-20-0x0000000000C00000-0x0000000000C01000-memory.dmp

memory/2792-22-0x0000000000C00000-0x0000000000C01000-memory.dmp

memory/2792-24-0x0000000000C00000-0x0000000000C01000-memory.dmp

memory/2792-26-0x0000000077660000-0x0000000077661000-memory.dmp

memory/2792-25-0x0000000000C10000-0x0000000000C11000-memory.dmp

memory/2792-28-0x0000000000C10000-0x0000000000C11000-memory.dmp

memory/2792-30-0x0000000000C10000-0x0000000000C11000-memory.dmp

memory/2792-31-0x0000000000160000-0x0000000000B24000-memory.dmp

memory/2792-51-0x0000000000160000-0x0000000000B24000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-14 14:07

Reported

2024-02-14 14:09

Platform

win10v2004-20231222-en

Max time kernel

92s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furios.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe

"C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe"

C:\Users\Admin\AppData\Local\Temp\Furios.exe

"C:\Users\Admin\AppData\Local\Temp\Furios.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 f0565988.xsph.ru udp
RU 141.8.197.42:80 f0565988.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Furios.exe

MD5 df4e68852040ee5abdd047c8d358bcfd
SHA1 b2d077578e9d4326b47d5b2002ea447209e4f32f
SHA256 3c4747711e6ea57f84af33e1676740a0a25f899283ee994cf23fe3aaf55aed59
SHA512 53c888abb92207efe8590b0d7fb790d04681da466bb8d8a0b24548213f3c69d3487f42a4cbcb4eed2ce53b14644af1f6b713a3ea5dff9d05f8cac835ea802b0d

memory/4616-11-0x00000000006A0000-0x0000000001064000-memory.dmp

memory/4616-12-0x00000000011F0000-0x00000000011F1000-memory.dmp

memory/4616-13-0x0000000001510000-0x0000000001511000-memory.dmp

memory/4616-14-0x00000000006A0000-0x0000000001064000-memory.dmp

memory/4616-51-0x00000000006A0000-0x0000000001064000-memory.dmp