MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 513b839cea18adfe5cc8f6307dbf2519ab07c6cca7c46508b778150acb88829a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PandaStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 513b839cea18adfe5cc8f6307dbf2519ab07c6cca7c46508b778150acb88829a
SHA3-384 hash: d89254ab1df26fba7bae206a1143329720d88346dfeafbafc5d1b672f5b7dfed5a0e5bd6575b31b3275168b20f289207
SHA1 hash: 62c8098fd796dbbb1ae38d4e8eaec2bacae64bea
MD5 hash: dde995cfb07cbb9bc3f054783cb35461
humanhash: steak-paris-oscar-minnesota
File name:dde995cfb07cbb9bc3f054783cb35461.exe
Download: download sample
Signature PandaStealer
Create hunting rule
File size:759'296 bytes
First seen:2023-02-07 08:26:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fa196ffe3554a112ec3db8d999b31772 (1 x DCRat, 1 x PandaStealer)
ssdeep 12288:s/lF1MbcEK5zByepp5uZpJwPHITFl76WeggtgWwdW1ZdhCEfg7Y1Mh6sP7P3e3:0aIhrpv8GPohoW9gtgDdo/hCEfgTTPu3
Threatray 99 similar samples on MalwareBazaar
TLSH T120F4DF7C5F6A5072D6C53875EE2BE3B8D8B72AF20C7B490A7F67214513B024926E60DC
TrID 38.6% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
29.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe PandaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dde995cfb07cbb9bc3f054783cb35461.exe
Verdict:
No threats detected
Analysis date:
2023-02-07 08:31:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/95cd9a77-d957-43c0-9cad-658a81e3b38b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Alfonso Infostealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/361277/
Detection(s):
Win.Packed.Zusy-9981644-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/66055/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed shell32.dll zusy
Link:
https://www.filescan.io/uploads/63e20b64447edb203a030685/reports/1eac6e2e-429b-4b51-b299-0b5c56531608/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/513b839cea18adfe5cc8f6307dbf2519ab07c6cca7c46508b778150acb88829a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6bf1f022-b807-4bc7-994a-7c1113c4d064
Result
Threat name:
Panda Stealer, Phoenix Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1167489
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Writes to foreign memory regions
Yara detected Panda Stealer
Yara detected Phoenix Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/513b839cea18adfe5cc8f6307dbf2519ab07c6cca7c46508b778150acb88829a/
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ke5yhhhkdcw74xgi6yyh3pzfdgvqprwmu7cgkcfxpakqvs4iqkna._file
Verdict:
malicious
Similar samples:
013d0e7c33c844d36b99c16feafcb7d1542317e211e9dae3ff6d3c89087da8a1
PandaStealer
0eb87a3705190f81e96901e1376d66657c704915ff88e4ccc954128ba6a7efe0
PandaStealer
39d3801ccfbeb255a58b591edb846b38e5efef1cd36e0aba54fec3d164e8d795
PandaStealer
4901458729d9f901ec6e7ca5dc22b06434b5c966fb9c281d72ea873707fa4579
PandaStealer
4a020d59e8a71ae206743dba9a731a46959be011825fee6a51c1b0b9ecd5ee17
PandaStealer
504ab5e0d1e8230eb45fad2a558192e6ca40421faf9b6c07c6d2355ce0883766
PandaStealer
c3a234ea68a334dbf64c30a22cf12862b1ed45cd49f34d0314a0774332b69418
PandaStealer
+ 89 additional samples on MalwareBazaar
Result
Malware family:
pandastealer
Create hunting rule
Score:
  10/10
Tags:
family:pandastealer stealer
Link:
https://tria.ge/reports/230207-kce9esad92/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Panda Stealer payload
PandaStealer
Unpacked files
SH256 hash:
27d7d6d96e18d65906c0b8d712ca583f506208dc0a6872877591a256f9885e03
MD5 hash:
65ef32772ac1378e03e83165ffba7718
SHA1 hash:
2117fdf5b70e3edf0a37a738852ad476c08c2d28
Link:
https://www.unpac.me/results/2eaeb9ff-5cc1-4dac-8b5a-2e0b42477351/
SH256 hash:
513b839cea18adfe5cc8f6307dbf2519ab07c6cca7c46508b778150acb88829a
MD5 hash:
dde995cfb07cbb9bc3f054783cb35461
SHA1 hash:
62c8098fd796dbbb1ae38d4e8eaec2bacae64bea
Link:
https://www.unpac.me/results/2eaeb9ff-5cc1-4dac-8b5a-2e0b42477351/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/513b839cea18/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/513b839cea18adfe5cc8f6307dbf2519ab07c6cca7c46508b778150acb88829a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:MALWARE_Win_Alfonoso
Create hunting rule
Author:ditekSHen
Description:Detects Alfonoso / Shurk / HunterStealer infostealer
Rule name:MALWARE_Win_PandaStealer
Create hunting rule
Author:ditekSHen
Description:Detects Panda Stealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PandaStealer

Executable exe 513b839cea18adfe5cc8f6307dbf2519ab07c6cca7c46508b778150acb88829a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2532825/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/361277/

Comments