Malware Analysis Report

2024-09-22 15:33

Sample ID 240217-gq6rrace36
Target MidNight - CRACKED.exe
SHA256 e52afa16e426ed5b530dc3fc1bcac33dc99ca772ff841b7c0bbbf93e4e7c7fed
Tags
pandastealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e52afa16e426ed5b530dc3fc1bcac33dc99ca772ff841b7c0bbbf93e4e7c7fed

Threat Level: Known bad

The file MidNight - CRACKED.exe was found to be: Known bad.

Malicious Activity Summary

pandastealer spyware stealer

Panda Stealer payload

PandaStealer

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-02-17 06:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-17 06:01

Reported

2024-02-17 06:02

Platform

win7-20231215-en

Max time kernel

25s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe

"C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe"

C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe

"C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\StepJoin.bat

Network

Country Destination Domain Proto
RU 194.87.248.102:3000 tcp

Files

\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe

MD5 e249bcd1e893795c71351bf62480c6b6
SHA1 e92158f135788d0916f2e293011b3568d498c092
SHA256 b15a74b64a63a348919203a024f8c8aa715c2ff21685e26da14f1be4a00520c5
SHA512 8bfc855dc917a098f3795ef11815593ab29f02db7d219bfcc25a4ddc957f0e0ee0dc44c18fb3f50c9c11f89f3cc71f8aafb7ee1208429f7ee3bc492cc51d5a91

C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe

MD5 830550cd30753a9fde9d4d99b44344bf
SHA1 69cf20cac9879225cff7fcc50cbaac4e4b48ca5b
SHA256 d4feb54f21f04e8e9d554aa7891648bd862403fe0164dbd1acf482fe6f8b3602
SHA512 675aca6c9f74704f486aceed8c92ab7b5b42bd3da453da64a6068c9020dbe39fac6a5304f08cbadee9014f5d1e8a4b01f50ae623ea21a23dacc1894e93a65d88

memory/2452-15-0x00000000006A0000-0x00000000006A2000-memory.dmp

memory/2896-16-0x0000000000170000-0x0000000000172000-memory.dmp

memory/2896-17-0x00000000003D0000-0x00000000003D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\night.jpg

MD5 df04e5d97b4f113febcc037aae0fe6a5
SHA1 3dd1f95edc40395d1984542f5daef9ea53c0925c
SHA256 41419008feab09129aec758571984915fbbc191c517a58b9245df86b86820450
SHA512 85c54de7e2121df1a94f7128cf1c5723c07f5b09ae61d8f63a7398df292e0d54eef87d9a39a0c8d8dd22b9a7883dc52eeda388b11aab21d06365267a55b85b2a

memory/2896-25-0x00000000003D0000-0x00000000003D1000-memory.dmp