pandastealer | fc61986772d4dd592c2a603e5f083ef335acc93f9bc25f6598770f793292cfbb

General

Target

fc61986772d4dd592c2a603e5f083ef335acc93f9bc25f6598770f793292cfbb.exe
Size

759KB
MD5

b346ce18905c9a802993fe0db1350fbf
SHA1

46b576cc28342e895f3f2422ef2e3cc0d08c1f23
SHA256

fc61986772d4dd592c2a603e5f083ef335acc93f9bc25f6598770f793292cfbb
SHA512

cf508a3739e2a71d256a05c0a4edd41248a02f46cf7f61e2cac1ee706090f8576610bee237f6713f47f9283c364c9e7e8b46f914e7a8768c65e4108e886a4b91

Score

10^/10

Malware Config

Signatures

Panda Stealer Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000500000001e78c-137.dat	family_pandastealer
behavioral2/files/0x000500000001e78c-138.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Executes dropped EXE 2 IoCs

pid	Process
1672	robloxcheat.sfx.exe
4032	robloxcheat.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	fc61986772d4dd592c2a603e5f083ef335acc93f9bc25f6598770f793292cfbb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	robloxcheat.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4032	robloxcheat.exe
4032	robloxcheat.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 408	3744	fc61986772d4dd592c2a603e5f083ef335acc93f9bc25f6598770f793292cfbb.exe	79
PID 3744 wrote to memory of 408	3744	fc61986772d4dd592c2a603e5f083ef335acc93f9bc25f6598770f793292cfbb.exe	79
PID 3744 wrote to memory of 408	3744	fc61986772d4dd592c2a603e5f083ef335acc93f9bc25f6598770f793292cfbb.exe	79
PID 408 wrote to memory of 1672	408	cmd.exe	82
PID 408 wrote to memory of 1672	408	cmd.exe	82
PID 408 wrote to memory of 1672	408	cmd.exe	82
PID 1672 wrote to memory of 4032	1672	robloxcheat.sfx.exe	83
PID 1672 wrote to memory of 4032	1672	robloxcheat.sfx.exe	83
PID 1672 wrote to memory of 4032	1672	robloxcheat.sfx.exe	83

C:\Users\Admin\AppData\Local\Temp\fc61986772d4dd592c2a603e5f083ef335acc93f9bc25f6598770f793292cfbb.exe
"C:\Users\Admin\AppData\Local\Temp\fc61986772d4dd592c2a603e5f083ef335acc93f9bc25f6598770f793292cfbb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\start.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\robloxcheat.sfx.exe
    robloxcheat.sfx -pdiodghjdug7dg89djkgjdjgd78g77d89g dc:\
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\robloxcheat.exe
      "C:\robloxcheat.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\robloxcheat.exe

Filesize
671KB

MD5
b9e3aaf4ef6403fe534a7b49edaaba23

SHA1
37b35b14197b6343b84651a53cac2e2fd939c8e9

SHA256
bf32ea2270444d1f6e7ab136e7c7eaf91d2a195a460948c8d3a01ca056524635

SHA512
a8dd188e89d183bb3b26514579076d7d4740b98bd0514df251880da40cf179c76a01885374eb9db21ce41ad827ef0faa576798dfefc904588877ab9d8c5fad34

Download Submit
C:\robloxcheat.exe

Filesize
671KB

MD5
b9e3aaf4ef6403fe534a7b49edaaba23

SHA1
37b35b14197b6343b84651a53cac2e2fd939c8e9

SHA256
bf32ea2270444d1f6e7ab136e7c7eaf91d2a195a460948c8d3a01ca056524635

SHA512
a8dd188e89d183bb3b26514579076d7d4740b98bd0514df251880da40cf179c76a01885374eb9db21ce41ad827ef0faa576798dfefc904588877ab9d8c5fad34

Download Submit
C:\robloxcheat.sfx.exe

Filesize
597KB

MD5
1a1082501a4d891651ec30581290f8c0

SHA1
314ad6b456a6188dea829367aaa26ef7c0d919e9

SHA256
9f9ff9c9d46bccd1a4f68475dd90c51acd5223bc3f7d1aedf444ba452c38c3ab

SHA512
b8adad12a27d2eaf9d362db0ed1b1437e43b6e0bdb172659df6ec5abf8c8f0f1de068dd2fd1f6bbbde77aec24f70ca0e71e92f3044636e854e45011bfac5ca31

Download Submit
C:\robloxcheat.sfx.exe

Filesize
597KB

MD5
1a1082501a4d891651ec30581290f8c0

SHA1
314ad6b456a6188dea829367aaa26ef7c0d919e9

SHA256
9f9ff9c9d46bccd1a4f68475dd90c51acd5223bc3f7d1aedf444ba452c38c3ab

SHA512
b8adad12a27d2eaf9d362db0ed1b1437e43b6e0bdb172659df6ec5abf8c8f0f1de068dd2fd1f6bbbde77aec24f70ca0e71e92f3044636e854e45011bfac5ca31

Download Submit
C:\start.bat

Filesize
67B

MD5
355b692f79b209f0b2869f36e03cc2b1

SHA1
603c5bfcabbee6c3c4c2e0dd93c25b6c0acc536d

SHA256
b163d774b612a466e05a5adf6f9c580000684a2ca4d9addc7b056f819b7ad8f0

SHA512
82a777de16a30e1502345448f22c8d84de1cb74d0323e88090c4d9f82aba3d4caa8e11893cc1883826f07dcf04c2eb0f5799927f42d13d22221bf8bc9b14b754

Download Submit

Analysis

Sharing