Malware Analysis Report

2024-09-22 15:30

Sample ID 240226-f4ygvsdh94
Target a58ba0338bc617fdc6e60f0a0c5ef655
SHA256 e0cc6ae1f2a402c12678c97f63f6e97cad35090ccca5c1a280a3beef0b716e88
Tags
pandastealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0cc6ae1f2a402c12678c97f63f6e97cad35090ccca5c1a280a3beef0b716e88

Threat Level: Known bad

The file a58ba0338bc617fdc6e60f0a0c5ef655 was found to be: Known bad.

Malicious Activity Summary

pandastealer spyware stealer

Panda Stealer payload

PandaStealer

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-02-26 05:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-26 05:26

Reported

2024-02-26 05:28

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build_protected.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build_protected.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build_protected.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build_protected.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe

"C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe"

C:\Users\Admin\AppData\Local\Temp\build_protected.exe

"C:\Users\Admin\AppData\Local\Temp\build_protected.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 f0570666.xsph.ru udp
RU 141.8.197.42:80 f0570666.xsph.ru tcp

Files

memory/2772-0-0x00000000013A0000-0x0000000001510000-memory.dmp

memory/2772-1-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

memory/2772-2-0x000000001B3D0000-0x000000001B450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\build_protected.exe

MD5 e4105c1123a03f1129581ebb73d654f1
SHA1 419c7112bebff16b371e46903555b880b8c3a472
SHA256 d45fb4636b3a34a9caf096ea01cf71cd9f31542c7e0630a408b43586bc0d8f9d
SHA512 8830c9a1df0b0393c44929ac55b42937102172021ea88cb4ab7507e5ceca9d5613387ac1c8fa389bf65851a62e3cc43d05e62b36f7e789b6be2a26e35d77722f

C:\Users\Admin\AppData\Local\Temp\build_protected.exe

MD5 97ecd8350f52dccff5736e034267a11f
SHA1 dcf43392772c0a80ef297688222beaeadf304942
SHA256 c27e99767cedf120bb0df7500bc70045c378c6ed85bc6d18946fe3bee3813036
SHA512 d0307119d501763dc3f4cfbac0af9bf4cb8b036f19a50fbbd6c45570b616eeeb6b346de811ce9d75e7e81b61b0968f2b31dbe22dd75694f1c387b74e037d35a4

memory/1616-11-0x00000000011B0000-0x00000000015C6000-memory.dmp

memory/1616-12-0x00000000011B0000-0x00000000015C6000-memory.dmp

memory/2772-13-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

memory/1616-14-0x00000000011B0000-0x00000000015C6000-memory.dmp

\??\c:\users\admin\appdata\local\temp\build_protected.exe

MD5 34f1055468ee817a259b5b822c65f7ab
SHA1 a0c2825de7f67c221823b48682d233a29914bd0e
SHA256 797832ced7ee49a9c04d9dfb68cde33cff9fbae4e2761b92a0f41ec31875c6fa
SHA512 e59731d34c35c7da4c785fb8290f67cfe60fa6306935b359d0a1462045984dcf920548ea7eb307747ed2f971e0c79cacde0c30cf678eff05a1ac4103b8662fe5

memory/1616-33-0x00000000011B0000-0x00000000015C6000-memory.dmp

memory/1616-34-0x00000000011B0000-0x00000000015C6000-memory.dmp

memory/1616-35-0x00000000011B0000-0x00000000015C6000-memory.dmp

memory/1616-40-0x00000000011B0000-0x00000000015C6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-26 05:26

Reported

2024-02-26 05:28

Platform

win10v2004-20240221-en

Max time kernel

94s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build_protected.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build_protected.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build_protected.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build_protected.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe

"C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe"

C:\Users\Admin\AppData\Local\Temp\build_protected.exe

"C:\Users\Admin\AppData\Local\Temp\build_protected.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 f0570666.xsph.ru udp
RU 141.8.197.42:80 f0570666.xsph.ru tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3252-0-0x0000000000660000-0x00000000007D0000-memory.dmp

memory/3252-1-0x00007FF8EF500000-0x00007FF8EFFC1000-memory.dmp

memory/3252-2-0x000000001B510000-0x000000001B520000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\build_protected.exe

MD5 14aac0601324c17cbb497b117f1d1abf
SHA1 78b84b37f0e5d9af8b9c9cf21f4d65daee6f90cd
SHA256 100da9436605c1eaa5daa59ebff004cf2399ed5e29a08c7209a2a0a7db018a58
SHA512 141b81825885a57aeff4560508db1dcf4a639e23a6ab28e168122b9c34c137ee06deaf1fbb7bfee2e3f747b8c7ba614933e52e473cdb134ffb7724327d82b9f7

memory/4180-14-0x0000000000E10000-0x0000000001226000-memory.dmp

memory/3252-15-0x00007FF8EF500000-0x00007FF8EFFC1000-memory.dmp

memory/4180-13-0x0000000000E10000-0x0000000001226000-memory.dmp

memory/4180-16-0x0000000000E10000-0x0000000001226000-memory.dmp

memory/4180-46-0x0000000000E10000-0x0000000001226000-memory.dmp

memory/4180-47-0x0000000000E10000-0x0000000001226000-memory.dmp

memory/4180-53-0x0000000000E10000-0x0000000001226000-memory.dmp