Analysis Overview
SHA256
e0cc6ae1f2a402c12678c97f63f6e97cad35090ccca5c1a280a3beef0b716e88
Threat Level: Known bad
The file a58ba0338bc617fdc6e60f0a0c5ef655 was found to be: Known bad.
Malicious Activity Summary
Panda Stealer payload
PandaStealer
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-02-26 05:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-26 05:26
Reported
2024-02-26 05:28
Platform
win7-20240221-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PandaStealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build_protected.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build_protected.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build_protected.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build_protected.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2772 wrote to memory of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe | C:\Users\Admin\AppData\Local\Temp\build_protected.exe |
| PID 2772 wrote to memory of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe | C:\Users\Admin\AppData\Local\Temp\build_protected.exe |
| PID 2772 wrote to memory of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe | C:\Users\Admin\AppData\Local\Temp\build_protected.exe |
| PID 2772 wrote to memory of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe | C:\Users\Admin\AppData\Local\Temp\build_protected.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe
"C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe"
C:\Users\Admin\AppData\Local\Temp\build_protected.exe
"C:\Users\Admin\AppData\Local\Temp\build_protected.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | f0570666.xsph.ru | udp |
| RU | 141.8.197.42:80 | f0570666.xsph.ru | tcp |
Files
memory/2772-0-0x00000000013A0000-0x0000000001510000-memory.dmp
memory/2772-1-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp
memory/2772-2-0x000000001B3D0000-0x000000001B450000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\build_protected.exe
| MD5 | e4105c1123a03f1129581ebb73d654f1 |
| SHA1 | 419c7112bebff16b371e46903555b880b8c3a472 |
| SHA256 | d45fb4636b3a34a9caf096ea01cf71cd9f31542c7e0630a408b43586bc0d8f9d |
| SHA512 | 8830c9a1df0b0393c44929ac55b42937102172021ea88cb4ab7507e5ceca9d5613387ac1c8fa389bf65851a62e3cc43d05e62b36f7e789b6be2a26e35d77722f |
C:\Users\Admin\AppData\Local\Temp\build_protected.exe
| MD5 | 97ecd8350f52dccff5736e034267a11f |
| SHA1 | dcf43392772c0a80ef297688222beaeadf304942 |
| SHA256 | c27e99767cedf120bb0df7500bc70045c378c6ed85bc6d18946fe3bee3813036 |
| SHA512 | d0307119d501763dc3f4cfbac0af9bf4cb8b036f19a50fbbd6c45570b616eeeb6b346de811ce9d75e7e81b61b0968f2b31dbe22dd75694f1c387b74e037d35a4 |
memory/1616-11-0x00000000011B0000-0x00000000015C6000-memory.dmp
memory/1616-12-0x00000000011B0000-0x00000000015C6000-memory.dmp
memory/2772-13-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp
memory/1616-14-0x00000000011B0000-0x00000000015C6000-memory.dmp
\??\c:\users\admin\appdata\local\temp\build_protected.exe
| MD5 | 34f1055468ee817a259b5b822c65f7ab |
| SHA1 | a0c2825de7f67c221823b48682d233a29914bd0e |
| SHA256 | 797832ced7ee49a9c04d9dfb68cde33cff9fbae4e2761b92a0f41ec31875c6fa |
| SHA512 | e59731d34c35c7da4c785fb8290f67cfe60fa6306935b359d0a1462045984dcf920548ea7eb307747ed2f971e0c79cacde0c30cf678eff05a1ac4103b8662fe5 |
memory/1616-33-0x00000000011B0000-0x00000000015C6000-memory.dmp
memory/1616-34-0x00000000011B0000-0x00000000015C6000-memory.dmp
memory/1616-35-0x00000000011B0000-0x00000000015C6000-memory.dmp
memory/1616-40-0x00000000011B0000-0x00000000015C6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-26 05:26
Reported
2024-02-26 05:28
Platform
win10v2004-20240221-en
Max time kernel
94s
Max time network
122s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PandaStealer
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build_protected.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build_protected.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build_protected.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build_protected.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3252 wrote to memory of 4180 | N/A | C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe | C:\Users\Admin\AppData\Local\Temp\build_protected.exe |
| PID 3252 wrote to memory of 4180 | N/A | C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe | C:\Users\Admin\AppData\Local\Temp\build_protected.exe |
| PID 3252 wrote to memory of 4180 | N/A | C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe | C:\Users\Admin\AppData\Local\Temp\build_protected.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe
"C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe"
C:\Users\Admin\AppData\Local\Temp\build_protected.exe
"C:\Users\Admin\AppData\Local\Temp\build_protected.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | f0570666.xsph.ru | udp |
| RU | 141.8.197.42:80 | f0570666.xsph.ru | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/3252-0-0x0000000000660000-0x00000000007D0000-memory.dmp
memory/3252-1-0x00007FF8EF500000-0x00007FF8EFFC1000-memory.dmp
memory/3252-2-0x000000001B510000-0x000000001B520000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\build_protected.exe
| MD5 | 14aac0601324c17cbb497b117f1d1abf |
| SHA1 | 78b84b37f0e5d9af8b9c9cf21f4d65daee6f90cd |
| SHA256 | 100da9436605c1eaa5daa59ebff004cf2399ed5e29a08c7209a2a0a7db018a58 |
| SHA512 | 141b81825885a57aeff4560508db1dcf4a639e23a6ab28e168122b9c34c137ee06deaf1fbb7bfee2e3f747b8c7ba614933e52e473cdb134ffb7724327d82b9f7 |
memory/4180-14-0x0000000000E10000-0x0000000001226000-memory.dmp
memory/3252-15-0x00007FF8EF500000-0x00007FF8EFFC1000-memory.dmp
memory/4180-13-0x0000000000E10000-0x0000000001226000-memory.dmp
memory/4180-16-0x0000000000E10000-0x0000000001226000-memory.dmp
memory/4180-46-0x0000000000E10000-0x0000000001226000-memory.dmp
memory/4180-47-0x0000000000E10000-0x0000000001226000-memory.dmp
memory/4180-53-0x0000000000E10000-0x0000000001226000-memory.dmp