MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1eda5c9ef3158ecc5dabc82b244def26c0a938c797a1c97752ff32505b0f048. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PandaStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1eda5c9ef3158ecc5dabc82b244def26c0a938c797a1c97752ff32505b0f048
SHA3-384 hash: 8ba29c2f3c7b9b1f490c4816c0ef20c76f3073b2962c81d5d78b87642334b591e08c05c4c2fa9e0db2f6581eb68e7e33
SHA1 hash: 611cb3591c6a428f01f82c08c4bea4972635445f
MD5 hash: 8f94297c9a87de5c84a3c6b2d43a3809
humanhash: artist-xray-washington-maine
File name:8f94297c9a87de5c84a3c6b2d43a3809.exe
Download: download sample
Signature PandaStealer
Create hunting rule
File size:3'688'752 bytes
First seen:2021-03-17 08:23:38 UTC
Last seen:2021-03-17 10:43:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 1536:U6+o7BcTd7F+jNFIuj+pVlw4lNJz1VD3zzvizZ5systS34UfNS34Uf:UmFCsZF1jg7TJz15PNyxs
Threatray 35 similar samples on MalwareBazaar
TLSH 38061D16BFDB50ECBB08B10C7EE64035414EBA04E73B957E85BA8BC4B73388A56D5D24
Reporter abuse_ch
Tags:exe PandaStealer signed

Code Signing Certificate

Organisation:Invincea, Inc.
Issuer:DigiCert High Assurance Code Signing CA-1
Algorithm:sha1WithRSAEncryption
Valid from:2018-01-05T00:00:00Z
Valid to:2019-12-31T12:00:00Z
Serial number: 0be3f393d1ef0272aed0e2319c1b5dd0
Intelligence: 19 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b88acbbee18f369f37cef087fabc3473805bf9fa75f591070a1c1c779d35741b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8f94297c9a87de5c84a3c6b2d43a3809.exe
Verdict:
Malicious activity
Analysis date:
2021-03-17 09:05:24 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/f1fa6cd0-aa48-4034-8e06-9a87ccc58c40

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.530.4528.29486.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Deleting a recently created file
Reading critical registry keys
Replacing files
Sending a UDP request
Stealing user critical data
Connection attempt to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/641944
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 369948 Sample: ozXfd332ec.exe Startdate: 17/03/2021 Architecture: WINDOWS Score: 64 27 Multi AV Scanner detection for submitted file 2->27 29 Machine Learning detection for sample 2->29 31 Found many strings related to Crypto-Wallets (likely being stolen) 2->31 7 ozXfd332ec.exe 3 2->7         started        process3 signatures4 33 Hides threads from debuggers 7->33 10 ozXfd332ec.exe 6 7->10         started        14 WerFault.exe 23 9 7->14         started        17 cmd.exe 1 7->17         started        process5 dnsIp6 25 94.103.84.193, 2222 VDSINA-ASRU Russian Federation 10->25 35 Tries to harvest and steal browser information (history, passwords, etc) 10->35 23 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->23 dropped 19 conhost.exe 17->19         started        21 timeout.exe 1 17->21         started        file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1eda5c9ef3158ecc5dabc82b244def26c0a938c797a1c97752ff32505b0f048/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-02-04 15:35:32 UTC
File Type:
PE (.Net Exe)
AV detection:
20 of 47 (42.55%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0b3279dcdbdc13a5025cec008353d4c7be4eb0d7722cd6d5767ee077ffb443e3
PandaStealer
1069419faac2c4882be82f4887684652184d9a974a2bc7cf9444d80bfb0350f8
PandaStealer
1a90c85df972b45ce610304517be47a742b7cdba4f19f54c9a6b7244649c9290
PandaStealer
4011b1e267898386896a1ef7f71c6dfc949f41dfa8058ec163bd4f20068a565d
PandaStealer
48c481b14b6773bc4405945f9444cc6fc45fe5908c3ef24f5faf4b0815d27615
PandaStealer
541d2b3f34842b415901f2a40880b3fd44344b5ac7d78c991ee11456ae88e30a
PandaStealer
6e1a17d620bdeba7661494a769ebc1fb0fad89fbc72c5c07434f41ae3253322b
PandaStealer
802c56b6f190b1e7bb65ab1b6c82cfaa62724fe1cb4fa0c0c4acd1061064f952
PandaStealer
a0366cc8cfbabdfa262c0dd595f48895b4e59e7a09fdd651581e98229f949840
PandaStealer
e64b92bf32ded15a31b4d29b24e7bcd4f20a8af4a62832384bc7e027a9ea41bd
PandaStealer
+ 25 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210317-tt6v4xk2ks/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
880416d34a08b538f329e20fad07aeae1e588dc5669908bdc1e6710eceeb06e9
MD5 hash:
3d0e301faafe8818a1c6bb1c7a8b2acb
SHA1 hash:
42963d7b6b25483b4130867131a860ecac4edb90
Link:
https://www.unpac.me/results/ff591aab-bd71-4089-8c6f-23fe3a86bf2f/
SH256 hash:
bcbf1423db302d5d3431da8bd68aac49a70e1df2ed1b9c06ec89f596d17bd045
MD5 hash:
864cd168e87f8ebf1732ff71adfdc892
SHA1 hash:
d062f8aaf4bf34bfc82397e64ba98d20a6950262
Link:
https://www.unpac.me/results/ff591aab-bd71-4089-8c6f-23fe3a86bf2f/
SH256 hash:
e1eda5c9ef3158ecc5dabc82b244def26c0a938c797a1c97752ff32505b0f048
MD5 hash:
8f94297c9a87de5c84a3c6b2d43a3809
SHA1 hash:
611cb3591c6a428f01f82c08c4bea4972635445f
Link:
https://www.unpac.me/results/ff591aab-bd71-4089-8c6f-23fe3a86bf2f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1eda5c9ef3158ecc5dabc82b244def26c0a938c797a1c97752ff32505b0f048

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_Alfonoso
Create hunting rule
Author:ditekSHen
Description:Detects Alfonoso infostealer
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PandaStealer

Executable exe e1eda5c9ef3158ecc5dabc82b244def26c0a938c797a1c97752ff32505b0f048

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1072574/
  
Delivery method
Distributed via web download

Comments