pandastealer | 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab

General

Target

5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
Size

1.3MB
MD5

396f2b95ceaa2a0f978b514b7552b2b4
SHA1

b7bc8fc2437026235c0183cfe1f444a72cefc55a
SHA256

5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab
SHA512

207b36b3282323ac0ccaaf3ebc077ee1d2f0bc7a36f3c0c1dea454af116f56682dfa8aabf04f52704a8f926f1264b7cc9ea9ee4c6555f5c44099db1aadf12562

Score

10^/10

pandastealer stealer

Malware Config

Signatures

Panda Stealer Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/556-66-0x0000000000400000-0x00000000004AE000-memory.dmp	family_pandastealer
behavioral1/memory/556-68-0x0000000000400000-0x00000000004AE000-memory.dmp	family_pandastealer
behavioral1/memory/556-70-0x0000000000400000-0x00000000004AE000-memory.dmp	family_pandastealer
behavioral1/memory/556-72-0x0000000000400000-0x00000000004AE000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Suspicious use of SetThreadContext 1 IoCs

Processes:

5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe

description	pid	process	target process
PID 972 set thread context of 556	972	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1272 556 WerFault.exe 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe

pid	pid_target	process	target process
1272	556	WerFault.exe	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe

description	pid	process	target process
PID 972 wrote to memory of 556	972	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
PID 972 wrote to memory of 556	972	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
PID 972 wrote to memory of 556	972	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
PID 972 wrote to memory of 556	972	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
PID 972 wrote to memory of 556	972	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
PID 972 wrote to memory of 556	972	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
PID 972 wrote to memory of 556	972	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
PID 972 wrote to memory of 556	972	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
PID 972 wrote to memory of 556	972	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
PID 972 wrote to memory of 556	972	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
PID 556 wrote to memory of 1272	556	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	WerFault.exe
PID 556 wrote to memory of 1272	556	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	WerFault.exe
PID 556 wrote to memory of 1272	556	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	WerFault.exe
PID 556 wrote to memory of 1272	556	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
"C:\Users\Admin\AppData\Local\Temp\5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Local\Temp\5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 136
3⤵
- Program crash
PID:1272

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/556-60-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/556-62-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/556-64-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/556-66-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/556-68-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/556-70-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/556-72-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/972-55-0x0000000001090000-0x00000000011DC000-memory.dmp

Filesize
1.3MB

Download
memory/972-56-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/972-57-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/972-58-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/972-59-0x0000000008560000-0x000000000865A000-memory.dmp

Filesize
1000KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads