Analysis Overview
SHA256
57ad383c47b6423e48e44f750afc38f4e837db3c62eb59e10743d241625259e2
Threat Level: Known bad
The file 9bdffeeb52015df1699b7b0f0aa03cf4 was found to be: Known bad.
Malicious Activity Summary
Panda Stealer payload
PandaStealer
Executes dropped EXE
VMProtect packed file
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-02-14 14:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-14 14:07
Reported
2024-02-14 14:10
Platform
win7-20231215-en
Max time kernel
122s
Max time network
136s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PandaStealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Furios.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe | N/A |
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Furios.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Furios.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Furios.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2368 wrote to memory of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe | C:\Users\Admin\AppData\Local\Temp\Furios.exe |
| PID 2368 wrote to memory of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe | C:\Users\Admin\AppData\Local\Temp\Furios.exe |
| PID 2368 wrote to memory of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe | C:\Users\Admin\AppData\Local\Temp\Furios.exe |
| PID 2368 wrote to memory of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe | C:\Users\Admin\AppData\Local\Temp\Furios.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe
"C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe"
C:\Users\Admin\AppData\Local\Temp\Furios.exe
"C:\Users\Admin\AppData\Local\Temp\Furios.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | f0565988.xsph.ru | udp |
| RU | 141.8.197.42:80 | f0565988.xsph.ru | tcp |
Files
\Users\Admin\AppData\Local\Temp\Furios.exe
| MD5 | df4e68852040ee5abdd047c8d358bcfd |
| SHA1 | b2d077578e9d4326b47d5b2002ea447209e4f32f |
| SHA256 | 3c4747711e6ea57f84af33e1676740a0a25f899283ee994cf23fe3aaf55aed59 |
| SHA512 | 53c888abb92207efe8590b0d7fb790d04681da466bb8d8a0b24548213f3c69d3487f42a4cbcb4eed2ce53b14644af1f6b713a3ea5dff9d05f8cac835ea802b0d |
\Users\Admin\AppData\Local\Temp\Furios.exe
| MD5 | e42cb0898af0e056a356548cee3b58d2 |
| SHA1 | ac8ad573413bb5892e9da066fa2e15058f39f93c |
| SHA256 | 5d37e10f87f93d2c4f37e421df9118e6c92ce852992c633d6ad64350bae8c4e8 |
| SHA512 | afa7f4522f0e0631ce5312ad7ef2e669e345b2b16cab71b1a7a2a1ca52e76711177096d5d00c4718972a50fc241ec7d88aea507e0d6e3ad2fa54f1b2a1241865 |
\Users\Admin\AppData\Local\Temp\Furios.exe
| MD5 | 8920b74597608f478fc7fe2134a7cfb0 |
| SHA1 | fc3e1ec5168004dd8ec43329e8e697b281eb4b72 |
| SHA256 | 9a5023b2a29acadd79298c447f80fde5289f7c894c20015e9b957e0c2a95f75d |
| SHA512 | 39bdaa0145ad0e639d0659dd2b7161b60f8db06891f3028895f49c42587d9eadb7794d6be61a5756bccc2f0c82a2a3c956a1f78bf05beb5e13548527ff4dd566 |
memory/2792-19-0x0000000000160000-0x0000000000B24000-memory.dmp
memory/2792-20-0x0000000000C00000-0x0000000000C01000-memory.dmp
memory/2792-22-0x0000000000C00000-0x0000000000C01000-memory.dmp
memory/2792-24-0x0000000000C00000-0x0000000000C01000-memory.dmp
memory/2792-26-0x0000000077660000-0x0000000077661000-memory.dmp
memory/2792-25-0x0000000000C10000-0x0000000000C11000-memory.dmp
memory/2792-28-0x0000000000C10000-0x0000000000C11000-memory.dmp
memory/2792-30-0x0000000000C10000-0x0000000000C11000-memory.dmp
memory/2792-31-0x0000000000160000-0x0000000000B24000-memory.dmp
memory/2792-51-0x0000000000160000-0x0000000000B24000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-14 14:07
Reported
2024-02-14 14:09
Platform
win10v2004-20231222-en
Max time kernel
92s
Max time network
122s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PandaStealer
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Furios.exe | N/A |
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Furios.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Furios.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Furios.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Furios.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Furios.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1192 wrote to memory of 4616 | N/A | C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe | C:\Users\Admin\AppData\Local\Temp\Furios.exe |
| PID 1192 wrote to memory of 4616 | N/A | C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe | C:\Users\Admin\AppData\Local\Temp\Furios.exe |
| PID 1192 wrote to memory of 4616 | N/A | C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe | C:\Users\Admin\AppData\Local\Temp\Furios.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe
"C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe"
C:\Users\Admin\AppData\Local\Temp\Furios.exe
"C:\Users\Admin\AppData\Local\Temp\Furios.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f0565988.xsph.ru | udp |
| RU | 141.8.197.42:80 | f0565988.xsph.ru | tcp |
| US | 8.8.8.8:53 | 42.197.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Furios.exe
| MD5 | df4e68852040ee5abdd047c8d358bcfd |
| SHA1 | b2d077578e9d4326b47d5b2002ea447209e4f32f |
| SHA256 | 3c4747711e6ea57f84af33e1676740a0a25f899283ee994cf23fe3aaf55aed59 |
| SHA512 | 53c888abb92207efe8590b0d7fb790d04681da466bb8d8a0b24548213f3c69d3487f42a4cbcb4eed2ce53b14644af1f6b713a3ea5dff9d05f8cac835ea802b0d |
memory/4616-11-0x00000000006A0000-0x0000000001064000-memory.dmp
memory/4616-12-0x00000000011F0000-0x00000000011F1000-memory.dmp
memory/4616-13-0x0000000001510000-0x0000000001511000-memory.dmp
memory/4616-14-0x00000000006A0000-0x0000000001064000-memory.dmp
memory/4616-51-0x00000000006A0000-0x0000000001064000-memory.dmp