e4e8aac2107834b2d895fc35d71bb396075d971c650ff173714c3d17956c7da6

General

Target

pandabanker_2.1.2.vir.exe
Size

336KB
MD5

dfb9784c77e51bfb53d018b7b64381ff
SHA1

ab94e10047ee84e26263fa4c1528295b3c9ef945
SHA256

e4e8aac2107834b2d895fc35d71bb396075d971c650ff173714c3d17956c7da6
SHA512

e5ac07c1cfda0111b5a30fbf04eda166588fba76547220b616f53eed1cbb4a31dd7c79c42c3af4925a8750e6bb87a391ec266b93137f176a302982b7997e3ec2

Score

8^/10

spyware

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1980 cmd.exe

pid	process
1980	cmd.exe

JavaScript code in executable 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\3870112724rsegmnoittet-es.exe	js
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\3870112724rsegmnoittet-es.exe	js
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\3870112724rsegmnoittet-es.exe	js

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pandabanker_2.1.2.vir.exe

description pid process

Token: SeSecurityPrivilege 1496 pandabanker_2.1.2.vir.exe
Token: SeSecurityPrivilege 1496 pandabanker_2.1.2.vir.exe
Loads dropped DLL 1 IoCs

Processes:

pandabanker_2.1.2.vir.exe

pid process

1496 pandabanker_2.1.2.vir.exe

description	pid	process
Token: SeSecurityPrivilege	1496	pandabanker_2.1.2.vir.exe
Token: SeSecurityPrivilege	1496	pandabanker_2.1.2.vir.exe

pid	process
1496	pandabanker_2.1.2.vir.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

pandabanker_2.1.2.vir.exe3870112724rsegmnoittet-es.exe

description	pid	process	target process
PID 1496 wrote to memory of 1032	1496	pandabanker_2.1.2.vir.exe	3870112724rsegmnoittet-es.exe
PID 1496 wrote to memory of 1032	1496	pandabanker_2.1.2.vir.exe	3870112724rsegmnoittet-es.exe
PID 1496 wrote to memory of 1032	1496	pandabanker_2.1.2.vir.exe	3870112724rsegmnoittet-es.exe
PID 1496 wrote to memory of 1032	1496	pandabanker_2.1.2.vir.exe	3870112724rsegmnoittet-es.exe
PID 1032 wrote to memory of 1660	1032	3870112724rsegmnoittet-es.exe	svchost.exe
PID 1032 wrote to memory of 1660	1032	3870112724rsegmnoittet-es.exe	svchost.exe
PID 1032 wrote to memory of 1660	1032	3870112724rsegmnoittet-es.exe	svchost.exe
PID 1032 wrote to memory of 1660	1032	3870112724rsegmnoittet-es.exe	svchost.exe
PID 1032 wrote to memory of 1660	1032	3870112724rsegmnoittet-es.exe	svchost.exe
PID 1032 wrote to memory of 1660	1032	3870112724rsegmnoittet-es.exe	svchost.exe
PID 1032 wrote to memory of 1660	1032	3870112724rsegmnoittet-es.exe	svchost.exe
PID 1032 wrote to memory of 1660	1032	3870112724rsegmnoittet-es.exe	svchost.exe
PID 1032 wrote to memory of 1624	1032	3870112724rsegmnoittet-es.exe	svchost.exe
PID 1032 wrote to memory of 1624	1032	3870112724rsegmnoittet-es.exe	svchost.exe
PID 1032 wrote to memory of 1624	1032	3870112724rsegmnoittet-es.exe	svchost.exe
PID 1032 wrote to memory of 1624	1032	3870112724rsegmnoittet-es.exe	svchost.exe
PID 1032 wrote to memory of 1624	1032	3870112724rsegmnoittet-es.exe	svchost.exe
PID 1032 wrote to memory of 1624	1032	3870112724rsegmnoittet-es.exe	svchost.exe
PID 1032 wrote to memory of 1624	1032	3870112724rsegmnoittet-es.exe	svchost.exe
PID 1032 wrote to memory of 1624	1032	3870112724rsegmnoittet-es.exe	svchost.exe
PID 1496 wrote to memory of 1980	1496	pandabanker_2.1.2.vir.exe	cmd.exe
PID 1496 wrote to memory of 1980	1496	pandabanker_2.1.2.vir.exe	cmd.exe
PID 1496 wrote to memory of 1980	1496	pandabanker_2.1.2.vir.exe	cmd.exe
PID 1496 wrote to memory of 1980	1496	pandabanker_2.1.2.vir.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

3870112724rsegmnoittet-es.exe

pid process

1032 3870112724rsegmnoittet-es.exe

pid	process
1032	3870112724rsegmnoittet-es.exe

C:\Users\Admin\AppData\Local\Temp\pandabanker_2.1.2.vir.exe
"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.1.2.vir.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\3870112724rsegmnoittet-es.exe
"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\3870112724rsegmnoittet-es.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1032

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
3⤵
PID:1660

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
3⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upda40e40e7.bat"
2⤵
- Deletes itself
PID:1980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\upda40e40e7.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\3870112724rsegmnoittet-es.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\3870112724rsegmnoittet-es.exe

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\3870112724rsegmnoittet-es.exe

Download Submit
memory/1032-1-0x0000000000000000-mapping.dmp

Download
memory/1032-6-0x00000000020E0000-0x00000000020E4000-memory.dmp

Filesize
16KB

Download
memory/1496-8-0x0000000002280000-0x0000000002284000-memory.dmp

Filesize
16KB

Download
memory/1624-5-0x0000000000000000-mapping.dmp

Download
memory/1660-4-0x0000000000000000-mapping.dmp

Download
memory/1980-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing