Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-02-2024 05:26
Static task
static1
Behavioral task
behavioral1
Sample
a58ba0338bc617fdc6e60f0a0c5ef655.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a58ba0338bc617fdc6e60f0a0c5ef655.exe
Resource
win10v2004-20240221-en
General
-
Target
a58ba0338bc617fdc6e60f0a0c5ef655.exe
-
Size
1.4MB
-
MD5
a58ba0338bc617fdc6e60f0a0c5ef655
-
SHA1
9fab93502863d7e5e39778cdd613f258081638c3
-
SHA256
e0cc6ae1f2a402c12678c97f63f6e97cad35090ccca5c1a280a3beef0b716e88
-
SHA512
ee507c9b632c71e49c18c95b10d290dda456a0422fd1659fc41e6d2c58a5b82f1428f7d4d4190d961e81cc30b42e1444a17b52392a95f3c451bdc2b2eec8deff
-
SSDEEP
24576:qlc5i8jgFm3YKQbc4ib20TsTUyLo4H/hach1H2bF89lAZuBk4WIWV:qlc5wKMcjabE4THRlAmWIW
Malware Config
Extracted
pandastealer
1.11
http://f0570666.xsph.ru
Signatures
-
Panda Stealer payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1616-33-0x00000000011B0000-0x00000000015C6000-memory.dmp family_pandastealer behavioral1/memory/1616-34-0x00000000011B0000-0x00000000015C6000-memory.dmp family_pandastealer behavioral1/memory/1616-35-0x00000000011B0000-0x00000000015C6000-memory.dmp family_pandastealer behavioral1/memory/1616-40-0x00000000011B0000-0x00000000015C6000-memory.dmp family_pandastealer -
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Executes dropped EXE 1 IoCs
Processes:
build_protected.exepid process 1616 build_protected.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
build_protected.exepid process 1616 build_protected.exe 1616 build_protected.exe 1616 build_protected.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
build_protected.exepid process 1616 build_protected.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
build_protected.exepid process 1616 build_protected.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a58ba0338bc617fdc6e60f0a0c5ef655.exedescription pid process target process PID 2772 wrote to memory of 1616 2772 a58ba0338bc617fdc6e60f0a0c5ef655.exe build_protected.exe PID 2772 wrote to memory of 1616 2772 a58ba0338bc617fdc6e60f0a0c5ef655.exe build_protected.exe PID 2772 wrote to memory of 1616 2772 a58ba0338bc617fdc6e60f0a0c5ef655.exe build_protected.exe PID 2772 wrote to memory of 1616 2772 a58ba0338bc617fdc6e60f0a0c5ef655.exe build_protected.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe"C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\build_protected.exe"C:\Users\Admin\AppData\Local\Temp\build_protected.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\build_protected.exeFilesize
463KB
MD5e4105c1123a03f1129581ebb73d654f1
SHA1419c7112bebff16b371e46903555b880b8c3a472
SHA256d45fb4636b3a34a9caf096ea01cf71cd9f31542c7e0630a408b43586bc0d8f9d
SHA5128830c9a1df0b0393c44929ac55b42937102172021ea88cb4ab7507e5ceca9d5613387ac1c8fa389bf65851a62e3cc43d05e62b36f7e789b6be2a26e35d77722f
-
C:\Users\Admin\AppData\Local\Temp\build_protected.exeFilesize
594KB
MD597ecd8350f52dccff5736e034267a11f
SHA1dcf43392772c0a80ef297688222beaeadf304942
SHA256c27e99767cedf120bb0df7500bc70045c378c6ed85bc6d18946fe3bee3813036
SHA512d0307119d501763dc3f4cfbac0af9bf4cb8b036f19a50fbbd6c45570b616eeeb6b346de811ce9d75e7e81b61b0968f2b31dbe22dd75694f1c387b74e037d35a4
-
\??\c:\users\admin\appdata\local\temp\build_protected.exeFilesize
271KB
MD534f1055468ee817a259b5b822c65f7ab
SHA1a0c2825de7f67c221823b48682d233a29914bd0e
SHA256797832ced7ee49a9c04d9dfb68cde33cff9fbae4e2761b92a0f41ec31875c6fa
SHA512e59731d34c35c7da4c785fb8290f67cfe60fa6306935b359d0a1462045984dcf920548ea7eb307747ed2f971e0c79cacde0c30cf678eff05a1ac4103b8662fe5
-
memory/1616-11-0x00000000011B0000-0x00000000015C6000-memory.dmpFilesize
4.1MB
-
memory/1616-12-0x00000000011B0000-0x00000000015C6000-memory.dmpFilesize
4.1MB
-
memory/1616-14-0x00000000011B0000-0x00000000015C6000-memory.dmpFilesize
4.1MB
-
memory/1616-33-0x00000000011B0000-0x00000000015C6000-memory.dmpFilesize
4.1MB
-
memory/1616-34-0x00000000011B0000-0x00000000015C6000-memory.dmpFilesize
4.1MB
-
memory/1616-35-0x00000000011B0000-0x00000000015C6000-memory.dmpFilesize
4.1MB
-
memory/1616-40-0x00000000011B0000-0x00000000015C6000-memory.dmpFilesize
4.1MB
-
memory/2772-2-0x000000001B3D0000-0x000000001B450000-memory.dmpFilesize
512KB
-
memory/2772-1-0x000007FEF5C40000-0x000007FEF662C000-memory.dmpFilesize
9.9MB
-
memory/2772-13-0x000007FEF5C40000-0x000007FEF662C000-memory.dmpFilesize
9.9MB
-
memory/2772-0-0x00000000013A0000-0x0000000001510000-memory.dmpFilesize
1.4MB