General
-
Target
PanKoza2.0 Discord Token Stealer 2024.exe
-
Size
9.5MB
-
Sample
240915-2l67yawcrb
-
MD5
6c21e9957b540c1fc5c6c30f991423dd
-
SHA1
3937d74580a14bb8debd9c763fb1816cb26b881d
-
SHA256
fd6b4896e31a516c1aceae5d2e82822dc0efdecbcebf882b2875e57ce9e26cb0
-
SHA512
f4b7825e1cd7267b2bc9e8801c19ae72b76a0269dd0fb144303494882eb68bc4f0e2d8b6766f80252b6acd12090a6b6f0c4bc5e2c089d35a24e0a64de2bda5ba
-
SSDEEP
196608:weurQ4kCMsjWDqYbcMtnpVGNrzUrTg6aXW/aHIFU7s39:C84keyDFcMtpcqI62WO
Malware Config
Extracted
http://onion1.host:443/temper/PGPClient.exe
Targets
-
-
Target
PanKoza2.0 Discord Token Stealer 2024.exe
-
Size
9.5MB
-
MD5
6c21e9957b540c1fc5c6c30f991423dd
-
SHA1
3937d74580a14bb8debd9c763fb1816cb26b881d
-
SHA256
fd6b4896e31a516c1aceae5d2e82822dc0efdecbcebf882b2875e57ce9e26cb0
-
SHA512
f4b7825e1cd7267b2bc9e8801c19ae72b76a0269dd0fb144303494882eb68bc4f0e2d8b6766f80252b6acd12090a6b6f0c4bc5e2c089d35a24e0a64de2bda5ba
-
SSDEEP
196608:weurQ4kCMsjWDqYbcMtnpVGNrzUrTg6aXW/aHIFU7s39:C84keyDFcMtpcqI62WO
Score10/10-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Renames multiple (108) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Office macro that triggers on suspicious action
Office document macro which triggers in special circumstances - often malicious.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Impair Defenses
1Modify Registry
4Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3