62989ab56f11701b109cddf0eb20e995c833078bb40942a8c931589497c25948

General

Target

pandabanker_2.1.1.vir.exe
Size

308KB
MD5

ed09632e3d549edb8f31eaac5562df7c
SHA1

d78f465ffb433d4f2c9382e22e028709567c7eba
SHA256

62989ab56f11701b109cddf0eb20e995c833078bb40942a8c931589497c25948
SHA512

5a4fd769e5eafd76704eff6138eb25637353bdd4e23c769f327f76e2e3dad6cbae06ce7090b88b1d6802e7dfd94639b4316334435fdc2b4efc8f13226e176e2b

Score

8^/10

spyware

Malware Config

Signatures

Suspicious use of UnmapMainImage 2 IoCs

Processes:

pandabanker_2.1.1.vir.exeResumeConnect.exe

pid process

1080 pandabanker_2.1.1.vir.exe
1100 ResumeConnect.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pandabanker_2.1.1.vir.exe

description pid process

Token: SeSecurityPrivilege 1080 pandabanker_2.1.1.vir.exe
Token: SeSecurityPrivilege 1080 pandabanker_2.1.1.vir.exe
Loads dropped DLL 2 IoCs

Processes:

pandabanker_2.1.1.vir.exe

pid process

1080 pandabanker_2.1.1.vir.exe
1080 pandabanker_2.1.1.vir.exe

pid	process
1080	pandabanker_2.1.1.vir.exe
1100	ResumeConnect.exe

description	pid	process
Token: SeSecurityPrivilege	1080	pandabanker_2.1.1.vir.exe
Token: SeSecurityPrivilege	1080	pandabanker_2.1.1.vir.exe

pid	process
1080	pandabanker_2.1.1.vir.exe
1080	pandabanker_2.1.1.vir.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

pandabanker_2.1.1.vir.exeResumeConnect.exe

description	pid	process	target process
PID 1080 wrote to memory of 1100	1080	pandabanker_2.1.1.vir.exe	ResumeConnect.exe
PID 1080 wrote to memory of 1100	1080	pandabanker_2.1.1.vir.exe	ResumeConnect.exe
PID 1080 wrote to memory of 1100	1080	pandabanker_2.1.1.vir.exe	ResumeConnect.exe
PID 1080 wrote to memory of 1100	1080	pandabanker_2.1.1.vir.exe	ResumeConnect.exe
PID 1100 wrote to memory of 1348	1100	ResumeConnect.exe	svchost.exe
PID 1100 wrote to memory of 1348	1100	ResumeConnect.exe	svchost.exe
PID 1100 wrote to memory of 1348	1100	ResumeConnect.exe	svchost.exe
PID 1100 wrote to memory of 1348	1100	ResumeConnect.exe	svchost.exe
PID 1100 wrote to memory of 1348	1100	ResumeConnect.exe	svchost.exe
PID 1100 wrote to memory of 1348	1100	ResumeConnect.exe	svchost.exe
PID 1100 wrote to memory of 1348	1100	ResumeConnect.exe	svchost.exe
PID 1100 wrote to memory of 1348	1100	ResumeConnect.exe	svchost.exe
PID 1100 wrote to memory of 1348	1100	ResumeConnect.exe	svchost.exe
PID 1100 wrote to memory of 1472	1100	ResumeConnect.exe	svchost.exe
PID 1100 wrote to memory of 1472	1100	ResumeConnect.exe	svchost.exe
PID 1100 wrote to memory of 1472	1100	ResumeConnect.exe	svchost.exe
PID 1100 wrote to memory of 1472	1100	ResumeConnect.exe	svchost.exe
PID 1100 wrote to memory of 1472	1100	ResumeConnect.exe	svchost.exe
PID 1100 wrote to memory of 1472	1100	ResumeConnect.exe	svchost.exe
PID 1100 wrote to memory of 1472	1100	ResumeConnect.exe	svchost.exe
PID 1100 wrote to memory of 1472	1100	ResumeConnect.exe	svchost.exe
PID 1100 wrote to memory of 1472	1100	ResumeConnect.exe	svchost.exe
PID 1080 wrote to memory of 1568	1080	pandabanker_2.1.1.vir.exe	cmd.exe
PID 1080 wrote to memory of 1568	1080	pandabanker_2.1.1.vir.exe	cmd.exe
PID 1080 wrote to memory of 1568	1080	pandabanker_2.1.1.vir.exe	cmd.exe
PID 1080 wrote to memory of 1568	1080	pandabanker_2.1.1.vir.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

ResumeConnect.exe

pid process

1100 ResumeConnect.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1568 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1100	ResumeConnect.exe

pid	process
1568	cmd.exe

C:\Users\Admin\AppData\Local\Temp\pandabanker_2.1.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.1.1.vir.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\ResumeConnect.exe
"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\ResumeConnect.exe"
2⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1100

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
3⤵
PID:1348

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
3⤵
PID:1472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd69a249ee.bat"
2⤵
- Deletes itself
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\upd69a249ee.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\ResumeConnect.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\ResumeConnect.exe

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\ResumeConnect.exe

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\ResumeConnect.exe

Download Submit
memory/1100-2-0x0000000000000000-mapping.dmp

Download
memory/1348-5-0x0000000000000000-mapping.dmp

Download
memory/1472-6-0x0000000000000000-mapping.dmp

Download
memory/1568-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing