pandastealer | 5a819f7cddb64f6ada6803b0eb5eeab0df6a789583049cbdd11a57b679e99029

Analysis

max time kernel
17s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
19-07-2021 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Skinchanger.exe
Size

7.0MB
MD5

3ec2afd717e1874cd5b5beffee26fa03
SHA1

89172e4caa7a368c525ffc70868d07ea4b963b4b
SHA256

5a819f7cddb64f6ada6803b0eb5eeab0df6a789583049cbdd11a57b679e99029
SHA512

ab6bb583102f3047f05b0f447f60b7836bdbc84de51efb95503c2069e26d3566aceaa575999123c2603ff22bc439215e7960ecfb7ed955fc40884e1af0e4f8fc

Score

10^/10

pandastealer spyware stealer

Malware Config

Signatures

Panda Stealer Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000200000001ab4d-115.dat	family_pandastealer
behavioral2/files/0x000200000001ab4d-116.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Executes dropped EXE 1 IoCs

pid	Process
3940	build.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3940	build.exe
3940	build.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 3940	396	Skinchanger.exe	75
PID 396 wrote to memory of 3940	396	Skinchanger.exe	75
PID 396 wrote to memory of 3940	396	Skinchanger.exe	75

C:\Users\Admin\AppData\Local\Temp\Skinchanger.exe
"C:\Users\Admin\AppData\Local\Temp\Skinchanger.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads