pandastealer | 5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3

Analysis

max time kernel
62s
max time network
129s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3.exe
Size

799KB
MD5

9253c5f51186dc128a7187440cfd2b3f
SHA1

9fc815826ef4a99920b40a504603be1947506cd3
SHA256

5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3
SHA512

6a575dd843babdb1690047c5f16593626c6a5dcdbf030aed18798fe60a1e3772349b4a202a89134e7dcc6b39236e19a67fd82a279c9ce8e09f88f090acabc6ba

Score

10^/10

pandastealer spyware stealer

Malware Config

Signatures

Panda Stealer Payload 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\1642039920_MT.exe	family_pandastealer
\Users\Admin\AppData\Roaming\1642039920_MT.exe	family_pandastealer
C:\Users\Admin\AppData\Roaming\1642039920_MT.exe	family_pandastealer
\Users\Admin\AppData\Roaming\1642039920_MT.exe	family_pandastealer
\Users\Admin\AppData\Roaming\1642039920_MT.exe	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Executes dropped EXE 2 IoCs

Processes:

lf2020.exe1642039920_MT.exe

pid process

960 lf2020.exe
1708 1642039920_MT.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exelf2020.exe

pid process

272 cmd.exe
960 lf2020.exe
960 lf2020.exe
960 lf2020.exe
960 lf2020.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1642039920_MT.exe

pid process

1708 1642039920_MT.exe

pid	process
960	lf2020.exe
1708	1642039920_MT.exe

pid	process
272	cmd.exe
960	lf2020.exe
960	lf2020.exe
960	lf2020.exe
960	lf2020.exe

pid	process
1708	1642039920_MT.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3.execmd.exelf2020.exe

description	pid	process	target process
PID 1880 wrote to memory of 272	1880	5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3.exe	cmd.exe
PID 1880 wrote to memory of 272	1880	5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3.exe	cmd.exe
PID 1880 wrote to memory of 272	1880	5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3.exe	cmd.exe
PID 1880 wrote to memory of 272	1880	5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3.exe	cmd.exe
PID 272 wrote to memory of 960	272	cmd.exe	lf2020.exe
PID 272 wrote to memory of 960	272	cmd.exe	lf2020.exe
PID 272 wrote to memory of 960	272	cmd.exe	lf2020.exe
PID 272 wrote to memory of 960	272	cmd.exe	lf2020.exe
PID 960 wrote to memory of 1708	960	lf2020.exe	1642039920_MT.exe
PID 960 wrote to memory of 1708	960	lf2020.exe	1642039920_MT.exe
PID 960 wrote to memory of 1708	960	lf2020.exe	1642039920_MT.exe
PID 960 wrote to memory of 1708	960	lf2020.exe	1642039920_MT.exe

C:\Users\Admin\AppData\Local\Temp\5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3.exe
"C:\Users\Admin\AppData\Local\Temp\5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\load.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:272

C:\Users\Admin\AppData\Roaming\lf2020.exe
lf2020.exe -password -dC:\Users\Admin\AppData\Roaming
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Roaming\1642039920_MT.exe
"C:\Users\Admin\AppData\Roaming\1642039920_MT.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1642039920_MT.exe
Filesize
655KB

MD5
ef2170ccb225c935e33690c0412b5573

SHA1
ac3ee92aaea356f9a70c6d167ac08e00dd0a7aad

SHA256
939572b13c1805516ee3ffb0f76c147324037a260cdc672317ac7af67bd459a2

SHA512
af9b39f67fd2f1a0b0e5668dd444bbe9eb0848ca64b6c33a0e88ac43669f67f228772dc8726ad3ff5a15afc1ec77c0b9b9af550c4b1813d53f0b96a1fe560f88

Download Submit
C:\Users\Admin\AppData\Roaming\lf2020.exe
Filesize
610KB

MD5
858d997329a6f796d201b6e1b048d2d6

SHA1
9b41213b72c6868ef9873b0985dd9dd9e17d041d

SHA256
5946c40881fc9492f0cd910423cd26cd7eefd21599d91356858bc25fc55e2b47

SHA512
c48a553e14596b6a38ae213bc45a2334c5f947dab05cfc5375b0a71083e99fbeb60df3924d5c151efd242408187396ccc5a1c68dabb8056dbd2ef856cfcc362a

Download Submit
C:\Users\Admin\AppData\Roaming\lf2020.exe
Filesize
610KB

MD5
858d997329a6f796d201b6e1b048d2d6

SHA1
9b41213b72c6868ef9873b0985dd9dd9e17d041d

SHA256
5946c40881fc9492f0cd910423cd26cd7eefd21599d91356858bc25fc55e2b47

SHA512
c48a553e14596b6a38ae213bc45a2334c5f947dab05cfc5375b0a71083e99fbeb60df3924d5c151efd242408187396ccc5a1c68dabb8056dbd2ef856cfcc362a

Download Submit
C:\Users\Admin\AppData\Roaming\load.bat
Filesize
43B

MD5
94ed6467cd5bf952dfa0c72a4a48268c

SHA1
4d2d1b0072a95e3cb01fe7408a5aeb1023210c5d

SHA256
4a5f631da42d3ea46dcfb71351b55e0cf716a1c9704f48c0f3a83aa10e26715b

SHA512
0b934f5a249790a41c53d5385f7c9af2fce844acb6c89c1709906658858f1c91d93e11b9c303ee24134cfaf6373dee29950409e58c94655114714e054861177b

Download Submit
\Users\Admin\AppData\Roaming\1642039920_MT.exe
Filesize
655KB

MD5
ef2170ccb225c935e33690c0412b5573

SHA1
ac3ee92aaea356f9a70c6d167ac08e00dd0a7aad

SHA256
939572b13c1805516ee3ffb0f76c147324037a260cdc672317ac7af67bd459a2

SHA512
af9b39f67fd2f1a0b0e5668dd444bbe9eb0848ca64b6c33a0e88ac43669f67f228772dc8726ad3ff5a15afc1ec77c0b9b9af550c4b1813d53f0b96a1fe560f88

Download Submit
\Users\Admin\AppData\Roaming\1642039920_MT.exe
Filesize
655KB

MD5
ef2170ccb225c935e33690c0412b5573

SHA1
ac3ee92aaea356f9a70c6d167ac08e00dd0a7aad

SHA256
939572b13c1805516ee3ffb0f76c147324037a260cdc672317ac7af67bd459a2

SHA512
af9b39f67fd2f1a0b0e5668dd444bbe9eb0848ca64b6c33a0e88ac43669f67f228772dc8726ad3ff5a15afc1ec77c0b9b9af550c4b1813d53f0b96a1fe560f88

Download Submit
\Users\Admin\AppData\Roaming\1642039920_MT.exe
Filesize
655KB

MD5
ef2170ccb225c935e33690c0412b5573

SHA1
ac3ee92aaea356f9a70c6d167ac08e00dd0a7aad

SHA256
939572b13c1805516ee3ffb0f76c147324037a260cdc672317ac7af67bd459a2

SHA512
af9b39f67fd2f1a0b0e5668dd444bbe9eb0848ca64b6c33a0e88ac43669f67f228772dc8726ad3ff5a15afc1ec77c0b9b9af550c4b1813d53f0b96a1fe560f88

Download Submit
\Users\Admin\AppData\Roaming\1642039920_MT.exe
Filesize
655KB

MD5
ef2170ccb225c935e33690c0412b5573

SHA1
ac3ee92aaea356f9a70c6d167ac08e00dd0a7aad

SHA256
939572b13c1805516ee3ffb0f76c147324037a260cdc672317ac7af67bd459a2

SHA512
af9b39f67fd2f1a0b0e5668dd444bbe9eb0848ca64b6c33a0e88ac43669f67f228772dc8726ad3ff5a15afc1ec77c0b9b9af550c4b1813d53f0b96a1fe560f88

Download Submit
\Users\Admin\AppData\Roaming\lf2020.exe
Filesize
610KB

MD5
858d997329a6f796d201b6e1b048d2d6

SHA1
9b41213b72c6868ef9873b0985dd9dd9e17d041d

SHA256
5946c40881fc9492f0cd910423cd26cd7eefd21599d91356858bc25fc55e2b47

SHA512
c48a553e14596b6a38ae213bc45a2334c5f947dab05cfc5375b0a71083e99fbeb60df3924d5c151efd242408187396ccc5a1c68dabb8056dbd2ef856cfcc362a

Download Submit
memory/272-55-0x0000000000000000-mapping.dmp

Download
memory/960-59-0x0000000000000000-mapping.dmp

Download
memory/1708-66-0x0000000000000000-mapping.dmp

Download
memory/1880-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

Filesize
8KB

Download