Analysis
-
max time kernel
94s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
26-02-2024 05:26
General
-
Target
a58ba0338bc617fdc6e60f0a0c5ef655.exe
-
Size
1.4MB
-
MD5
a58ba0338bc617fdc6e60f0a0c5ef655
-
SHA1
9fab93502863d7e5e39778cdd613f258081638c3
-
SHA256
e0cc6ae1f2a402c12678c97f63f6e97cad35090ccca5c1a280a3beef0b716e88
-
SHA512
ee507c9b632c71e49c18c95b10d290dda456a0422fd1659fc41e6d2c58a5b82f1428f7d4d4190d961e81cc30b42e1444a17b52392a95f3c451bdc2b2eec8deff
-
SSDEEP
24576:qlc5i8jgFm3YKQbc4ib20TsTUyLo4H/hach1H2bF89lAZuBk4WIWV:qlc5wKMcjabE4THRlAmWIW
Malware Config
Extracted
pandastealer
1.11
http://f0570666.xsph.ru
Signatures
-
Panda Stealer payload 3 IoCs
-
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe"C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\build_protected.exe"C:\Users\Admin\AppData\Local\Temp\build_protected.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\build_protected.exeFilesize
1.4MB
MD514aac0601324c17cbb497b117f1d1abf
SHA178b84b37f0e5d9af8b9c9cf21f4d65daee6f90cd
SHA256100da9436605c1eaa5daa59ebff004cf2399ed5e29a08c7209a2a0a7db018a58
SHA512141b81825885a57aeff4560508db1dcf4a639e23a6ab28e168122b9c34c137ee06deaf1fbb7bfee2e3f747b8c7ba614933e52e473cdb134ffb7724327d82b9f7
-
memory/3252-0-0x0000000000660000-0x00000000007D0000-memory.dmpFilesize
1.4MB
-
memory/3252-1-0x00007FF8EF500000-0x00007FF8EFFC1000-memory.dmpFilesize
10.8MB
-
memory/3252-2-0x000000001B510000-0x000000001B520000-memory.dmpFilesize
64KB
-
memory/3252-15-0x00007FF8EF500000-0x00007FF8EFFC1000-memory.dmpFilesize
10.8MB
-
memory/4180-14-0x0000000000E10000-0x0000000001226000-memory.dmpFilesize
4.1MB
-
memory/4180-13-0x0000000000E10000-0x0000000001226000-memory.dmpFilesize
4.1MB
-
memory/4180-16-0x0000000000E10000-0x0000000001226000-memory.dmpFilesize
4.1MB
-
memory/4180-46-0x0000000000E10000-0x0000000001226000-memory.dmpFilesize
4.1MB
-
memory/4180-47-0x0000000000E10000-0x0000000001226000-memory.dmpFilesize
4.1MB
-
memory/4180-53-0x0000000000E10000-0x0000000001226000-memory.dmpFilesize
4.1MB