Extracted

• • Target

    hack.exe

  • Size

    4.9MB

  • MD5

    a2665470d5074af084fbdac73abfce51

  • SHA1

    d418ee23ac16427dd57448fcd37d9debeccec19c

  • SHA256

    6b22ce132aec60bab2b31938e7e82d404bd92b91951adbc917ac370d4c20ec64

  • SHA512

    7f9affe51ed17bcd2bcd02e1af31ba187cae5709447b1db0da54b6acba60fbcf54fba9dd554ac3322919a8da3cd250ff55840ce22aad4f5b7a2af991869e4a9e

  • SSDEEP

    98304:vzIIYKj7uCz+msMeZB4dj44HjhDYlcFKL2tWAbPcvNZVc1Cq+:UIYKfkMeZBcphDbFKitW6U1ZVc4q

  Score

  10^/10

  pandastealerdefense_evasiondiscoveryevasionpersistencespywarestealervmprotect

  • Panda Stealer payload

  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

    stealerpandastealer

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Adds Run key to start application

    persistence

  • Hide Artifacts: Hidden Files and Directories

    defense_evasion

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2