pandastealer | ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170

General

Target

ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe
Size

657KB
MD5

8ed6d907728a4b6647b1283abbfc2233
SHA1

34965adb74613e90a0b0777098fd39c97ff6f877
SHA256

ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170
SHA512

6da65cb2956f23efb19b4082fa768b9affc4a4e3f1c36532b471e47d5bf392f7976bac9c04b22bec7992d614785a347e0e9592e104fdb0503491fb61afaf3e1a

Score

10^/10

Malware Config

Signatures

Panda Stealer Payload 8 IoCs

resource	yara_rule
behavioral1/files/0x00090000000121f7-55.dat	family_pandastealer
behavioral1/files/0x00090000000121f7-58.dat	family_pandastealer
behavioral1/files/0x00090000000121f7-57.dat	family_pandastealer
behavioral1/files/0x00090000000121f7-56.dat	family_pandastealer
behavioral1/files/0x00090000000121f7-59.dat	family_pandastealer
behavioral1/files/0x00090000000121f7-60.dat	family_pandastealer
behavioral1/memory/1180-61-0x00000000013C0000-0x0000000001476000-memory.dmp	family_pandastealer
behavioral1/files/0x00080000000121fd-64.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Executes dropped EXE 2 IoCs

pid	Process
1180	dqwqdqwdqwqwd.exe
784	dwdqdfqwfqwbbvv.exe

Loads dropped DLL 4 IoCs

pid	Process
1584	ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe
1584	ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe
1584	ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe
1584	ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
784	dwdqdfqwfqwbbvv.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1180	1584	ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe	27
PID 1584 wrote to memory of 1180	1584	ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe	27
PID 1584 wrote to memory of 1180	1584	ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe	27
PID 1584 wrote to memory of 1180	1584	ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe	27
PID 1180 wrote to memory of 784	1180	dqwqdqwdqwqwd.exe	28
PID 1180 wrote to memory of 784	1180	dqwqdqwdqwqwd.exe	28
PID 1180 wrote to memory of 784	1180	dqwqdqwdqwqwd.exe	28
PID 1180 wrote to memory of 784	1180	dqwqdqwdqwqwd.exe	28

C:\Users\Admin\AppData\Local\Temp\ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe
"C:\Users\Admin\AppData\Local\Temp\ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\dqwqdqwdqwqwd.exe
  "C:\Users\Admin\AppData\Local\Temp\dqwqdqwdqwqwd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Users\Admin\AppData\Local\dwdqdfqwfqwbbvv.exe
    "C:\Users\Admin\AppData\Local\dwdqdfqwfqwbbvv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1180-61-0x00000000013C0000-0x0000000001476000-memory.dmp

Filesize
728KB

Download
memory/1180-62-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp

Filesize
8KB

Download
memory/1180-63-0x0000000002880000-0x000000001A940000-memory.dmp

Filesize
384.8MB

Download
memory/1584-54-0x0000000076921000-0x0000000076923000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing