MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a97397b1d9ac7e1b1aab153d2529680c0d6f0977c9e2f68c3febd1661629dbe1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PandaStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	a97397b1d9ac7e1b1aab153d2529680c0d6f0977c9e2f68c3febd1661629dbe1
SHA3-384 hash:	0eefa9a6c9a6dfd37fd191a331e2a309acc1bba5fc0cb943dfb93978a73e4ceed98d0b745cf429e446e6fdc6bc9078f8
SHA1 hash:	5fc4ee57193abd315a5910035cf8ca7f7d06c50b
MD5 hash:	43c72a273a4c430c9fda1654cb9be2cf
humanhash:	vermont-washington-fourteen-iowa
File name:	43c72a273a4c430c9fda1654cb9be2cf.exe
Download:	download sample
Signature	PandaStealer Create hunting rule
File size:	558'592 bytes
First seen:	2022-03-03 08:42:30 UTC
Last seen:	2022-03-22 01:11:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	06c6e92acd3ff57b00b3132976b3f6d6 (32 x PhoenixStealer, 2 x PandaStealer, 1 x Worm.Ramnit)
ssdeep	12288:F7vT8cGUCZmxIwNjVGCXZqmmJUL+JHkdIUnjoqhwgw4d:Fz4BUCZmxIw1VGCXZ5mJdkdZnBh7
Threatray	42 similar samples on MalwareBazaar
TLSH	T119C4BE17E6428076E4632430265D9B7649BD76300A2655BBF3C42E2D9EF02F2AB35F37
Reporter	abuse_ch
Tags:	exe PandaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

172

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Alfonoso

Link:

https://www.capesandbox.com/analysis/246784/

Detection(s):

Win.Malware.Zusy-9812688-0

Win.Malware.Zusy-9828887-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending a custom TCP request

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/7999/overview

Behaviour

MalwareBazaar

MeasuringTime

CallSleep

EvasionQueryPerformanceCounter

CheckCmdLine

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Panda Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/74a2d0b0-1be7-40ff-a8d8-1fccffe3e02e

Result

Threat name:

Panda Stealer

Detection:

malicious

Classification:

troj.spyw

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/949773

Signature

Antivirus / Scanner detection for submitted sample

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Yara detected Panda Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a97397b1d9ac7e1b1aab153d2529680c0d6f0977c9e2f68c3febd1661629dbe1/

Threat name:

Win32.Trojan.Matanbuchus

Status:

Malicious

First seen:

2022-02-24 15:59:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

39 of 43 (90.70%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vfzzpmozvr7bwgvlcu6skklibqgw6clxzhrpndb75piwmfrj3pqq._file

Verdict:

malicious

PandaStealer

2b697dedde68e57f4ce0031983226e1db30f0e41e52e5307f1bb1eddc87ae7e7

PandaStealer

2e7a02de59323fccbd4c44da43a2846b6492bf68cf0b22057e42200a4bba1e93

PandaStealer

34f78f4028c51f6340c1f4846b65252fa6686ba0a5ab8ebc35c737a8960ba43e

PandaStealer

5097ba1476b2f7bbbb7663fa2aabbcb20d0de43e2a96696ab41e702e599c8003

PandaStealer

610f2955234ded50bd35c426f36b4dea3c2f1d45999c93753c6b73c94e77919b

PandaStealer

77b9b69c6a0c2d1ca22a03ce3833852a11e06ca4a0e47e7dfd8b4c3f1846c350

PandaStealer

86462a022a9325952181a5097e2bb49e90b4dad598abec1cd6e8b0d74fd930a8

PandaStealer

aae030dd9da75eb9b769fc2fe9aff3377ed2024938bdac96da4e24130abdc6c6

PandaStealer

db6b5ff99f5037cf2f4968560a4e4bfdc977782aa731eb0566e819e8a8a67b9a

PandaStealer

+ 32 additional samples on MalwareBazaar

Result

Malware family:

phoenixstealer

Score:

10/10

Tags:

family:phoenixstealer stealer

Link:

https://tria.ge/reports/220303-kmk8esaaf6/

Behaviour

PhoenixStealer

Unpacked files

SH256 hash:

a97397b1d9ac7e1b1aab153d2529680c0d6f0977c9e2f68c3febd1661629dbe1

MD5 hash:

43c72a273a4c430c9fda1654cb9be2cf

SHA1 hash:

5fc4ee57193abd315a5910035cf8ca7f7d06c50b

Link:

https://www.unpac.me/results/b71d4b8a-dc6b-477f-8b5b-f5435034027f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a97397b1d9ac7e1b1aab153d2529680c0d6f0977c9e2f68c3febd1661629dbe1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_Alfonoso Create hunting rule
Author:	ditekSHen
Description:	Detects Alfonoso / Shurk / HunterStealer infostealer

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	XOREngine_Misc_XOR_Func Create hunting rule
Author:	smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:	Use with care, https://twitter.com/cyb3rops/status/1237042104406355968