MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0eb87a3705190f81e96901e1376d66657c704915ff88e4ccc954128ba6a7efe0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PandaStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	0eb87a3705190f81e96901e1376d66657c704915ff88e4ccc954128ba6a7efe0
SHA3-384 hash:	1cbc2a1925ff88ff9bd727efb92c8ab583b87e7f00430df3e15dda0bf80e59072fa0bd444892da49e57ebd136ada58b8
SHA1 hash:	83349f9a92bba8d297a8bd63b8cebeeae13fc3e8
MD5 hash:	9ef762f37d18159788b6f1ddedd432c6
humanhash:	jersey-echo-avocado-artist
File name:	file
Download:	download sample
Signature	PandaStealer Create hunting rule
File size:	1'142'784 bytes
First seen:	2023-02-04 07:09:26 UTC
Last seen:	2023-02-06 17:42:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:nwJJuwUGkdSemfmmgO59i3LuKR0Zd7lzMdJGrqG4yPas:wJJPlQRkmc5sdu71Usc8
TLSH	T11835CE9377F19862F6CB10B514283B8C1FE07103BE55E25BAB3B79C097059FBB698252
TrID	61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.1% (.SCR) Windows screen saver (13097/50/3) 8.9% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	38f1c8c8d8d4d8d0 (6 x RedLineStealer, 1 x RaccoonStealer, 1 x PandaStealer)
Reporter	andretavare5
Tags:	exe PandaStealer

andretavare5

Sample downloaded from https://vk.com/doc139074685_655480742?hash=7ZXvFyYqysYwBs7lphX77Tbk4Ke6GEJCswjAcHnLVaP&dl=GEZTSMBXGQ3DQNI:1675436769:l3OIaZT4yeYYzOVTSLxQCkmsZUgLZdL9FJbvZI503aH&api=1&no_preview=1#pu300us

Intelligence

File Origin

# of uploads :

129

# of downloads :

196

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-02-04 07:09:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3538dfb8-b651-4772-a261-a82677dc85b6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/360176/

Detection(s):

SecuriteInfo.com.Trojan.Siggen19.39152.19295.22200.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63de04cc696b2d9725753979/reports/316c62b8-0c55-4e7a-95e6-b2c5d37651c9/overview

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/0eb87a3705190f81e96901e1376d66657c704915ff88e4ccc954128ba6a7efe0

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1fad8b33-7ac3-4d21-bb79-010dfc24262e

Result

Threat name:

Panda Stealer, Phoenix Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1165680

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Yara detected AntiVM3

Yara detected Panda Stealer

Yara detected Phoenix Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0eb87a3705190f81e96901e1376d66657c704915ff88e4ccc954128ba6a7efe0/

Threat name:

Win32.Trojan.PredatorThief

Status:

Malicious

First seen:

2023-02-03 22:02:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 38 (39.47%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=b24hunyfdehyd2ljahqto3lgmv6hasiv76eojtgjkqjixjvh57qa._file

Verdict:

malicious

Result

Malware family:

pandastealer

Score:

10/10

Tags:

family:pandastealer stealer

Link:

https://tria.ge/reports/230204-hzdb8scg55/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Panda Stealer payload

PandaStealer

Unpacked files

SH256 hash:

a7620af2769aa6d278b57ddf3d775efce5d177d412bc8afa18b8da8fd52e939a

MD5 hash:

a1af62087b250e851e65800bc2cfb0aa

SHA1 hash:

faec71755eaa99dc6fd32b9a5eb37b752b703eb6

Link:

https://www.unpac.me/results/54fae6dd-1481-4b88-925e-c728a4f2a35a/

SH256 hash:

349504a0ced91401b492a9c2d0f3af028658aaa9e2dddaf5383e5c960352d450

MD5 hash:

5ffc91a062957557f0e871734ff2e295

SHA1 hash:

dd5be8b9bc1c7c78b354221a959fda438b7dae3c

Link:

https://www.unpac.me/results/54fae6dd-1481-4b88-925e-c728a4f2a35a/

SH256 hash:

ba82558a859d8599157c8a24fc4abd037776b3f4aace24ebabfa4fe493915552

MD5 hash:

2c91b4cdf00df0efd8666dcb61ca500b

SHA1 hash:

d8b3bacf5883cd5a642d7301c9d838c6068aaacb

Link:

https://www.unpac.me/results/54fae6dd-1481-4b88-925e-c728a4f2a35a/

SH256 hash:

e8b2f434ad6f440274d5f5fb18a2f424bf8492e9b77883eeae0b7e2922bf714a

MD5 hash:

81318d806255e9af95c2f35a1b51db08

SHA1 hash:

7cc095b244400aae50faa0c95d775fb182bfff9b

Link:

https://www.unpac.me/results/54fae6dd-1481-4b88-925e-c728a4f2a35a/

SH256 hash:

d5fa3d57079919972c5b5c4da2407329f4f7650473149e14801d02c3a894249e

MD5 hash:

5eba1f0891134fb81a2952f285759ee4

SHA1 hash:

4f063213d4d6ba7098b638f19a8f9d1826e5c746

Link:

https://www.unpac.me/results/54fae6dd-1481-4b88-925e-c728a4f2a35a/

SH256 hash:

0eb87a3705190f81e96901e1376d66657c704915ff88e4ccc954128ba6a7efe0

MD5 hash:

9ef762f37d18159788b6f1ddedd432c6

SHA1 hash:

83349f9a92bba8d297a8bd63b8cebeeae13fc3e8

Link:

https://www.unpac.me/results/54fae6dd-1481-4b88-925e-c728a4f2a35a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0eb87a3705190f81e96901e1376d66657c704915ff88e4ccc954128ba6a7efe0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/360176/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample