pandastealer | 9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d

General

Target

9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe
Size

899KB
MD5

9a2d07cf1b75929a35b3f66f4c3838bf
SHA1

3e2bbb2a0a4ece23c4e4010a9c463aed08f6e4be
SHA256

9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d
SHA512

89e573759266316dfd5976a1a1c7788e71fc89427f4dcce14f9ff845ad2c9c577471ad1f9adac87765f60cf1891f002c1d0fe9478176a4287145703ee1cc8554

Score

10^/10

Malware Config

Signatures

Panda Stealer Payload 3 IoCs

resource	yara_rule
behavioral2/memory/980-137-0x0000000000400000-0x000000000045F000-memory.dmp	family_pandastealer
behavioral2/memory/980-138-0x0000000000400000-0x000000000045F000-memory.dmp	family_pandastealer
behavioral2/memory/980-139-0x0000000000400000-0x000000000045F000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D152845B-532F-4C1B-B950-4227D15D0F86}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A0E8F0C9-C630-4CCF-9BE5-54AA6885B7C1}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2816 set thread context of 980	2816	9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe	102

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3648	980	WerFault.exe	102

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\0018C005EECA4879 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000b2f90524c5d36544f142b1c32b8abf9f09dfe34425fd5ffb19b16794ff879c73000000000e8000000002000020000000dcbc1e510fd819c3db26aa039e43473977ebb9bdd02db422971826724307552780000000bc551742b8102f1855b178bf289d97fb08bccc443b9c53d42ec2325bdd23936098e748e12c9ce444a8b0354b8572ca244d2c38fac6d0fd39473ba4c7850ab72ad9a7f571572ac376aadbb3e59a814ea92453d510f7f19f4111a61f408d06902881647708ea808da7fd4a88accb9d12ebaa8246e6250aca68c57da88c18695d13400000002a6e657fcbf7c2256dfa2903b6d992856f61473a446f0f419a9653e76a80cb6a3dedbbf887e9829f304d6aec3a75093357cd3ab074d36949640b2e61683388e6	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000b2d00553807e460329b580f26328a96bcd52efbdfe14bed7a92cefb54929d1fc000000000e8000000002000020000000e8db99e9183775443e412d8d767ca89c805f8d308874dbd7b7464dd8d0ddb107100d000032888a1e9bab471cc831ef42a46ca218ba66b7c9518d27648513fdb966ef7fa3d2077ac3239ea0b870ba93e48010d2d312477f1553dad709d8ab7f5688f4ff79a826f9ae3cf8f2972ba4f6dfdeab22920f5433420fbe9f82e41e1e53ec02e0d8fc76bd9e194a5434ec0ff3a1f9f1ff96b6edf704f8be8ccebcce52535c766c079014d888c9075b1106c90be2920fca33aff50b6ccac8c4c1f6fdc2edd8fdc67cd84c3fef9d5e308d67681370f02a8cd1666a5ff54a236f1cefa3361a6311d98690a218d408c0e453e9e4e040bc344b31281e5a5b9009f045bc8eb3e894aeb2e5b3d08efeaa7782959f12d1c1e49321db853386380e709eea2780649335766b3c569de9c91328cb5ee0483fe673311371345ef8f80e93d8bd034e88876b08608446f4b91785102a44a866db3747a521fd21991c3ad0c0c49cac92b142d88894df1dab8ff78e1c5b29c6975be8103cb5b0137876c9dec3da843b8665c3a568c74bd94d07e00ff2e9cac09cc8253572aef8ce6562ae6247748dbde4deab654941df127d1a72bc10fb4c569643a64e177f2f248d666c136b289969d8e3eb11211ad60a4da132fe0c3aa2c3789cc30038b1ca9478cb1001588c4c45c490d3ac8babe52e9b10c5c3a2ea41d8d18ffb47ac67b18c8cc5bdda0cb38b4d1de98545c46015ea23c37b81fce870620994facea1cfbd9cda21d6fef794f1c7e0129d015c9f7ed3e0624ccfceb47225a725beaca6e464a39faf35eaa465271ef53977507ebf9b78aff738e029868aa21714f3be101115c85fd2994f55a787b37163260d4a551d15e3bd3d317a342036351b6327f61f29e8c75aeeb20357f8c3b3054a602782c346ff809599140d32c7c48a0e9f560314287461440d60cd2f6d93a3e08455006f69be950fe0880efd3738605b1ccb6131fe7c7979b884e59fbe15a95f1a316dcf4887f2d27db4b0528f52e465772651aef577cc649c66416fed3d9220151deef1074330772f5cf83233a444f18030a10be44ed7e88c8b93a430cbe282105085e1f85517c0e7279ddcebee51ea09f61769424645507b578de1deee87145219fda79b000eae11d7132e8986c8f66b52f3fc475eb2bf2734d8124d153fadb08c8108525cdda9c17d4d7d80e3aed29199c010fcbab1ad9c254cd63eb29b6383162036e643fdf2690e7e742bad485199f1d47ad5e5e284a12053038a23f3c2b98561895276d7a97813d2b3c1440427f7fc9b80ac5f7ca928393739a5e52e1691c8be86c73cee934e6891fb147ca5823d49a7aca4031d66051235d01a839dba447af6e2739f6022c768246ecba4035ac12e3cba51ee99e0fd771a919ad8bcd2d67708a7c203ffd617fa99c705d80c75b3589c8e0695155a91611c16f40bdc064bf8289576114352a0ded00d60c1093c762c3297697565ac2699faa60376e2a6c65d8bab4f05b3e0426dfc8ddc831615ffbc247479d225357f137982a6d9c3609cf29257655f904578cc7597af05f5766e551a1d4995c190edfd60e1075185ccbf32983ef62c8add14b31c0ee314cb855eb13d1121c14a18221a4d75c260f6c84356cb9a4be33ce258d304d94170cfb61d8efb809dfdf9be1e44269e6dd841bc1b643c33a2b470889bb11f506f5ef8f68354dc1198eeab393b24d18ad210ff77d1f00c4421530ef3107a2efd90af972d24a21624cb9278fa75dd1834dd8e4499b0c842a5a891debb3dc243209af14f523db583443a2e5901a74993382a0960c7ad52f988060f4136c787cc1a685c79bba5c1bf9d2631da9c89b090f4582b886f0fa843b99af212f6e7d021c7c5b6ce7b8f68d712c46cd4fa04f67318f2faccaf7f5ab1abb4613693917303be579088bf1106ad467b09fd4234447c65c773fd0ad322ec372b803d4796f9a1ef13e803af51064cba4a795dac36cd86c6b9a8ca00e1a0e69df8daed6f7defa9cad0a76efd38a2a3a9525449a2cd810bf12b43e0a8bc505427086419ae997d7c5c0b381506a43c79f86fd0d351ad03644ae5f4eb0f0ea8c8bb77fb53c8faa293ab484107e862fd7b0854209cbb729f3d732f91af198ca976f8d915b35c781481fe1b6b0f5180da50296f31d261fa6656d451bed69cac7cf5b0533bc22eba72bf30a7acda7b48809a9eedfc14757265c946c8ed4fe408201f90608547fa8466f285a020de5c1860b11fb920dad8c910650bf40882da6d7272e8560d7bb554758e336a5e47a504b2af8a13a688db67e3b5c398d7720e5aa6dbcf49a0f7adc37093cdd5c58a1fdd1463ec0577ca1244d0fb7dfe351a7024bb39eaebc897bb91829f2dc2a912073a02165aee8d69c4b604a0e2cac1bbb3478227b4d874cc5f2f43e38b1b70f93ac91b382da64b3958b88e263a088259d5f85a4602f1572f05c82e3b7b88058c13eb4d9786a320d29ba4b3af424736dc90d37fa03743824324c4444410adabdf19f28cbd225bd807572514a2e95b3dbc1bd7247fb4b9b9644b17ac177891e27ab6b6988c552867c2a35fd7de4403c2a92b5e4ea9e7ee5431e4e99336e7432cfe7d731bf3713514a0a8093a6a95ec59485cf6e8df85dfa6b0988f864f9ef1fa3884e1f46556a9cad622ec2dfabaddbc6566e19144cf3e802de6a9fedbce7b2476b45265045b3a3d1af5b78747675da8fa8ba51dc826062f426e3cc9a1460dc76bcbdc813f12f14b37cb6d035408be789edb54acf89752f2d1fe8d7ac889118c517264038a3674214f73434c52f0413cacea8ab2f29f901f9570b00a896e61efaa1a75363ef201f1a561640c8bb2b566032d187f93eb81e1b7961a00688aa78f1be81720d7ca1783a323f32c270827b0c7558c62b0569836a3919e01a8713bad797af5ae72a7fdea542192c9d146de088983eccd32e81003ee3e0e5dca6352812a15ae81e4cb8e61b12f0781796a150c7840e6d550ac008877f371f8c1bda8433a73d4be8f581e9e2b12aa178bce7aecba76442d03db381109479f9472b880655afa6958ec2d5fac40ee548438fcac7a5c9132d49dc278a0ea3d181e1c216a2758345f0830781c0f53791d9a6b2c197d1c69a18a09d9308cf3bde18f953917c97982ed2ca855f2b2d710741687db03237e3ef82ad309ff2a3d58f97f93ff600768532a0fbcce1e53f29dd04aba46d7a5897d8d0f647d855c03dcd16c728214c12e7fa12c4787ee93dc55d837d746a36b4f6d8c664420bf5ded09e6a9ad74f7d993b6400bd66b1e4d4d3d3af1abf7abba85f9ea2fc810a2a4eddb077baadc7e4cf7aa8f78a8edb06be2aec9d8416d20c801b5023c16c07f46e283ef88bbf1b3f589f535c5893232b4fe60255af5ade31c4aeb23d43e9e76279abe24b3e8367fe87c1ebbeffac483c52dc83eba10a761dae37ffdfa85b3acd7bc05c9886d6d14171722fecc68411e773d110c196889a7894385b266f74938d5fd2eb9ff55f31af627a898a5bd34373493cb7a650e0a4216f111f562269d46afc8192b79531f2466a094b44cc1959ddb0670dcbc0b0a9641253d0da34caaea2485b1b8a6893e185ced65b99a0314b8e8e760ad1c0a287535af1c300b2c5e7be815af50b8c533a6d60d99f50819cd8c2d47d3d785761a9f7c018199f909ec9eb3704ea396f43d0cb45f53054681aa01d6684f08a92439e40ba4ae2491fb292dc7e2bbf12d51bb33baab51720c8c3bd21dd1a530f8a0c9c75dabc24b9c089b9a3ebcb717ff0dd03b1dbf51dcadcc49dc54718618495a322b83834cbf59c808c30ee331891ce928b1e5661432e25c0a0bc8c24e5763c4c7d206249f3bf59e53a33ca3a66e3cf1b2ceef2d3ec9a739cf3e1374ca38852edc46e9326f412002e33da0e983c06ec3ce8655d2114bf8b990705b84534d354eb157fbfd9c73a1f7e70c8053bc3762333496cb845c03fe5e3de9afa8d403a24cdba43e767329d9761a68d95c197b093c2ace24b6aa0ca6833d0d5ec2188082b124bb36a065b624c097607ac73d2a906b1b6e68bdc727cfdc5039af43676a31de262e114c8bd535c57724ed893f1a9a63fdc31f7694708870d4ed6797a881fde5174d6159619a3133c93dfe9f0f10ec7f3e83230e63edf96c32758de3f7c5d7e89880272356d5842db3fe22d915b339e65ab0eb5b6d53ddf38f0ff8f154b1b2895f3b55c2efc4ff583977d8238f34d054b071c9957e8d474e5480ee5c6ffa2e1488ee218250278524b4bdfb7470ab1f4d1cc68c206e7934cc67e5e182f4527df257b798d39085e7706f41feb5b324b85f18b24d3c869189e110f5d62372df7b53a7bce402bbb3247eddb796454b098ca848b22940a803c2685e0985099c6db0c993ec902f431f98336f3c477c4fe835daa7704376259aff82af013e26cb3b52a065f38663fcf192a68cbe36206a10ac7b1fe6d5d49c6af5e7ba2536144d7765c4bf07ffdf131e2bc269d003950605acee013b8ad50e4948ceec956171b6517c28fdecf64409dab79d254276d0fa485a2b38c1a57e3ddebb22eee0699fcd740ece8a593cda0293e60cbf5126888c7b9407eb709c8404ae621c9a22ff3c2bc7ef377ffb1e7a956a0a11d5c102ea78cbdf0c090fd19cc85d5a304daafce87d710564689682906e91a95473367e6cea81935393487f1630ffa1f4e80b177013861e02573e0194cf4f9a9dc7cdb6e98979cab3c793a7eab993cec4dfaf46daf8e98a325b298f963bfbf6fc7785a6f0ff99e26eccb1ac5816f50b3cb74000000039cd0e76d39815f5ee38e29fe579a241bb45b6830e470fc3f1774e7494275d997e7b1083a784746f113480aaea01a0c34d9f165c82efda5894f74b3f658fdcff	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "0018C005EECA4879"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2816	9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe
2816	9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 4284	2816	9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe	101
PID 2816 wrote to memory of 4284	2816	9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe	101
PID 2816 wrote to memory of 4284	2816	9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe	101
PID 2816 wrote to memory of 980	2816	9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe	102
PID 2816 wrote to memory of 980	2816	9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe	102
PID 2816 wrote to memory of 980	2816	9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe	102
PID 2816 wrote to memory of 980	2816	9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe	102
PID 2816 wrote to memory of 980	2816	9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe	102
PID 2816 wrote to memory of 980	2816	9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe	102
PID 2816 wrote to memory of 980	2816	9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe	102
PID 2816 wrote to memory of 980	2816	9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe	102
PID 2816 wrote to memory of 980	2816	9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe	102

C:\Users\Admin\AppData\Local\Temp\9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe
"C:\Users\Admin\AppData\Local\Temp\9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe
  "C:\Users\Admin\AppData\Local\Temp\9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe"
  2⤵
  PID:4284
- C:\Users\Admin\AppData\Local\Temp\9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe
  "C:\Users\Admin\AppData\Local\Temp\9a0fae68664249ca1014ebb4fbcd515dc70a82cc2ccfab3c6671c5ab9168815d.exe"
  2⤵
  PID:980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 372
    3⤵
    - Program crash
    PID:3648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:3380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 980 -ip 980
1⤵
PID:2092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/980-137-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/980-138-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/980-139-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2816-134-0x0000000000230000-0x0000000000316000-memory.dmp

Filesize
920KB

Download

Analysis

Sharing