pandastealer | 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab

General

Target

5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
Size

1.3MB
MD5

396f2b95ceaa2a0f978b514b7552b2b4
SHA1

b7bc8fc2437026235c0183cfe1f444a72cefc55a
SHA256

5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab
SHA512

207b36b3282323ac0ccaaf3ebc077ee1d2f0bc7a36f3c0c1dea454af116f56682dfa8aabf04f52704a8f926f1264b7cc9ea9ee4c6555f5c44099db1aadf12562

Score

10^/10

Malware Config

Signatures

Panda Stealer Payload 3 IoCs

resource	yara_rule
behavioral2/memory/3848-138-0x0000000000400000-0x00000000004AE000-memory.dmp	family_pandastealer
behavioral2/memory/3848-139-0x0000000000400000-0x00000000004AE000-memory.dmp	family_pandastealer
behavioral2/memory/3848-140-0x0000000000400000-0x00000000004AE000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 676 set thread context of 3848	676	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	64

Program crash 1 IoCs

pid	pid_target	Process	procid_target
464	3848	WerFault.exe	64

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
676	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
676	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	676	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 676 wrote to memory of 3060	676	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	63
PID 676 wrote to memory of 3060	676	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	63
PID 676 wrote to memory of 3060	676	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	63
PID 676 wrote to memory of 3848	676	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	64
PID 676 wrote to memory of 3848	676	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	64
PID 676 wrote to memory of 3848	676	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	64
PID 676 wrote to memory of 3848	676	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	64
PID 676 wrote to memory of 3848	676	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	64
PID 676 wrote to memory of 3848	676	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	64
PID 676 wrote to memory of 3848	676	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	64
PID 676 wrote to memory of 3848	676	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	64
PID 676 wrote to memory of 3848	676	5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe	64

C:\Users\Admin\AppData\Local\Temp\5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
"C:\Users\Admin\AppData\Local\Temp\5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676
- C:\Users\Admin\AppData\Local\Temp\5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
  "{path}"
  2⤵
  PID:3060
- C:\Users\Admin\AppData\Local\Temp\5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
  "{path}"
  2⤵
  PID:3848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 372
    3⤵
    - Program crash
    PID:464

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 0
1⤵
- Checks processor information in registry
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3848 -ip 3848
1⤵
PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/676-130-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/676-131-0x0000000000FD0000-0x000000000111C000-memory.dmp

Filesize
1.3MB

Download
memory/676-132-0x0000000006030000-0x00000000065D4000-memory.dmp

Filesize
5.6MB

Download
memory/676-133-0x0000000005B20000-0x0000000005BB2000-memory.dmp

Filesize
584KB

Download
memory/676-134-0x0000000005AE0000-0x0000000005AEA000-memory.dmp

Filesize
40KB

Download
memory/676-135-0x0000000005A80000-0x0000000006024000-memory.dmp

Filesize
5.6MB

Download
memory/676-136-0x0000000009750000-0x0000000009C7C000-memory.dmp

Filesize
5.2MB

Download
memory/676-137-0x000000000A0B0000-0x000000000A14C000-memory.dmp

Filesize
624KB

Download
memory/3848-138-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/3848-139-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/3848-140-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing