pandastealer | 70b80a1a24d526e456893f0185550c15c3d914deaf8ebaa02d8817a15aa5bf80

Analysis

Target

ForceNitro.exe
Size

762KB
MD5

6abff90b8cb80533bca9eb040ed698da
SHA1

ae2e389320bec602965a5f12c13e595df870ac0f
SHA256

70b80a1a24d526e456893f0185550c15c3d914deaf8ebaa02d8817a15aa5bf80
SHA512

086e4c1eb5a32ae116ffeaf28995cf4e660460fec758c1c4708d0df30413b774924e863381b6a46125c09a82570fbde933f24cac8a0691751998eb075fff1813

Score

10^/10

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
636	ForceNitro.exe
636	ForceNitro.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 808	636	ForceNitro.exe	77
PID 636 wrote to memory of 808	636	ForceNitro.exe	77
PID 636 wrote to memory of 808	636	ForceNitro.exe	77

C:\Users\Admin\AppData\Local\Temp\ForceNitro.exe
"C:\Users\Admin\AppData\Local\Temp\ForceNitro.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C Del /f /q "C:\Users\Admin\AppData\Local\Temp\ForceNitro.exe"
  2⤵
  PID:808

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact