db790cbe0beb2a9c2749cb914fbdec8bdc7aa2ef3c9ca6c721e0c0fede715fb2

General

Target

pandabanker_2.1.0.vir.exe
Size

243KB
MD5

c6ffa4a58e659e537868350abd676ba0
SHA1

cb92588544d6a12f61b66f0694b60a5cacfd4684
SHA256

db790cbe0beb2a9c2749cb914fbdec8bdc7aa2ef3c9ca6c721e0c0fede715fb2
SHA512

a57dc9c62c7898773ec5e259bc2c3c1fbb802635e2a38bce8d6b6d81142d940b3c1c341052cbe88511b7ddfdbeff0dd9c2e7eba5ada62d304f6a686c3c0e01d7

Score

8^/10

spyware

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pandabanker_2.1.0.vir.exe

description pid process

Token: SeSecurityPrivilege 272 pandabanker_2.1.0.vir.exe
Token: SeSecurityPrivilege 272 pandabanker_2.1.0.vir.exe
Loads dropped DLL 2 IoCs

Processes:

pandabanker_2.1.0.vir.exe

pid process

272 pandabanker_2.1.0.vir.exe
272 pandabanker_2.1.0.vir.exe

description	pid	process
Token: SeSecurityPrivilege	272	pandabanker_2.1.0.vir.exe
Token: SeSecurityPrivilege	272	pandabanker_2.1.0.vir.exe

pid	process
272	pandabanker_2.1.0.vir.exe
272	pandabanker_2.1.0.vir.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

pandabanker_2.1.0.vir.exeNewUndo.exe

description	pid	process	target process
PID 272 wrote to memory of 736	272	pandabanker_2.1.0.vir.exe	NewUndo.exe
PID 272 wrote to memory of 736	272	pandabanker_2.1.0.vir.exe	NewUndo.exe
PID 272 wrote to memory of 736	272	pandabanker_2.1.0.vir.exe	NewUndo.exe
PID 272 wrote to memory of 736	272	pandabanker_2.1.0.vir.exe	NewUndo.exe
PID 736 wrote to memory of 1064	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1064	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1064	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1064	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1064	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1064	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1064	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1064	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1064	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1064	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1492	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1492	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1492	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1492	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1492	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1492	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1492	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1492	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1492	736	NewUndo.exe	svchost.exe
PID 736 wrote to memory of 1492	736	NewUndo.exe	svchost.exe
PID 272 wrote to memory of 1872	272	pandabanker_2.1.0.vir.exe	cmd.exe
PID 272 wrote to memory of 1872	272	pandabanker_2.1.0.vir.exe	cmd.exe
PID 272 wrote to memory of 1872	272	pandabanker_2.1.0.vir.exe	cmd.exe
PID 272 wrote to memory of 1872	272	pandabanker_2.1.0.vir.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

NewUndo.exe

pid process

736 NewUndo.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1872 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
736	NewUndo.exe

pid	process
1872	cmd.exe

C:\Users\Admin\AppData\Local\Temp\pandabanker_2.1.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.1.0.vir.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:272

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8r5uu9el.default-release\crashes\NewUndo.exe
"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8r5uu9el.default-release\crashes\NewUndo.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:736

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
3⤵
PID:1064

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
3⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd72504b5d.bat"
2⤵
- Deletes itself
PID:1872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\upd72504b5d.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8r5uu9el.default-release\crashes\NewUndo.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8r5uu9el.default-release\crashes\NewUndo.exe

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8r5uu9el.default-release\crashes\NewUndo.exe

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8r5uu9el.default-release\crashes\NewUndo.exe

Download Submit
memory/736-2-0x0000000000000000-mapping.dmp

Download
memory/1064-5-0x0000000000000000-mapping.dmp

Download
memory/1492-6-0x0000000000000000-mapping.dmp

Download
memory/1872-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing