MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70b80a1a24d526e456893f0185550c15c3d914deaf8ebaa02d8817a15aa5bf80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PandaStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	70b80a1a24d526e456893f0185550c15c3d914deaf8ebaa02d8817a15aa5bf80
SHA3-384 hash:	4c3eda0d709f319b02060ed208d86fd41105bfb22f59d06185f7d030cd28595d0b7215d25da7579aa0bfabf5e53bacc1
SHA1 hash:	ae2e389320bec602965a5f12c13e595df870ac0f
MD5 hash:	6abff90b8cb80533bca9eb040ed698da
humanhash:	venus-cola-venus-stairway
File name:	ForceNitro.exe
Download:	download sample
Signature	PandaStealer Create hunting rule
File size:	780'288 bytes
First seen:	2021-06-24 21:51:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	51ff75d6d097884e3e24394f5a7d0c8f (1 x PandaStealer)
ssdeep	12288:RXfl4WqP5C+ZQpvBlUh1ArlVOs/mRtZJhg6VQ/IoDsp+LbMoUA5bQcoln+TMuHat:RXN4WO5upvH4ip/mRtZJVQ/IoDswYg0B
Threatray	7 similar samples on MalwareBazaar
TLSH	86F4AE52B5C2C0B2D47100314E68ABF117BDF9300A369D9BBFD4664E8E6D9D25D32A37
Reporter	Anonymous
Tags:	exe gaming PandaStealer

Anonymous

We run a multi-gaming organisation/multi-game guild with a large amount of members, and receive targeted spearphishing and non-targeted malware typically RATs or keyloggers, attempting to compromise accounts and steal items.

On our forums, we also automatically quarantine new accounts that DM users links. These uploads are typically the outputs of online uploads, spambots, or users trying to steal kids' game accounts.

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ForceNitro.exe

Verdict:

Malicious activity

Analysis date:

2021-06-24 21:52:54 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/856dfa4e-db14-4498-b584-52208b3cea2e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

PandaStealer

Link:

https://www.capesandbox.com/analysis/168157/

Detection(s):

Win.Malware.Zusy-9812688-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Panda Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ec5f89e9-a9a8-4254-aa27-ee4899cc9a2f

Result

Threat name:

CollectorGoomba

Detection:

malicious

Classification:

troj.spyw

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/807798

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Performs DNS queries to domains with low reputation

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected CollectorGoomba

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/70b80a1a24d526e456893f0185550c15c3d914deaf8ebaa02d8817a15aa5bf80/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-06-24 21:52:22 UTC

AV detection:

23 of 46 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oc4augre2utoivujh4aykvimcxb5sfg6v6hlvibnral2cwvfx6aa._file

Verdict:

unknown

PandaStealer

30af8d3ec685a4a5669f1377bb74589772a0428d9daa214c179a795dcf4b9030

PandaStealer

5619c8395d506c05cebd14d6145c87a87e52b265a2442aa6dbea431f94c22eef

PandaStealer

57b3bc2626b9c7fa3000e8be451e8b5799e39e0c9c957847467623a26e2c0652

PandaStealer

768ea597d760b5748bf05f48e81ba41b91a49f3943a0269c868b716e92dd232d

PandaStealer

97488be036cb1cf1a500188d3449062f4f10d83afb57630a8f6497edb196dc21

PandaStealer

b5188b0e21575407dbfc61df11d80353a6fec4f57098596b45e37bc746ba58e9

PandaStealer

Result

Malware family:

pandastealer

Score:

10/10

Tags:

family:pandastealer spyware stealer

Link:

https://tria.ge/reports/210624-qbwcpjfqhx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Deletes itself

Reads user/profile data of web browsers

PandaStealer

Unpacked files

SH256 hash:

70b80a1a24d526e456893f0185550c15c3d914deaf8ebaa02d8817a15aa5bf80

MD5 hash:

6abff90b8cb80533bca9eb040ed698da

SHA1 hash:

ae2e389320bec602965a5f12c13e595df870ac0f

Link:

https://www.unpac.me/results/3c3d65f4-3ebd-44a2-9d8b-1c4dda5c6d96/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/70b80a1a24d526e456893f0185550c15c3d914deaf8ebaa02d8817a15aa5bf80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/168157/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample