pandastealer | 5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3

General

Target

5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3.exe
Size

799KB
MD5

9253c5f51186dc128a7187440cfd2b3f
SHA1

9fc815826ef4a99920b40a504603be1947506cd3
SHA256

5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3
SHA512

6a575dd843babdb1690047c5f16593626c6a5dcdbf030aed18798fe60a1e3772349b4a202a89134e7dcc6b39236e19a67fd82a279c9ce8e09f88f090acabc6ba

Score

10^/10

Malware Config

Signatures

Panda Stealer Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231bf-136.dat	family_pandastealer
behavioral2/files/0x00070000000231bf-137.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Executes dropped EXE 2 IoCs

pid	Process
1552	lf2020.exe
3120	1642039920_MT.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	lf2020.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3120	1642039920_MT.exe
3120	1642039920_MT.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 3676	2008	5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3.exe	79
PID 2008 wrote to memory of 3676	2008	5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3.exe	79
PID 2008 wrote to memory of 3676	2008	5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3.exe	79
PID 3676 wrote to memory of 1552	3676	cmd.exe	82
PID 3676 wrote to memory of 1552	3676	cmd.exe	82
PID 3676 wrote to memory of 1552	3676	cmd.exe	82
PID 1552 wrote to memory of 3120	1552	lf2020.exe	83
PID 1552 wrote to memory of 3120	1552	lf2020.exe	83
PID 1552 wrote to memory of 3120	1552	lf2020.exe	83

C:\Users\Admin\AppData\Local\Temp\5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3.exe
"C:\Users\Admin\AppData\Local\Temp\5f6c2b356ec142dad0c964aab5527e7f1040554ffcd3f6f143a8e35c31a088e3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\load.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Users\Admin\AppData\Roaming\lf2020.exe
    lf2020.exe -password -dC:\Users\Admin\AppData\Roaming
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Users\Admin\AppData\Roaming\1642039920_MT.exe
      "C:\Users\Admin\AppData\Roaming\1642039920_MT.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1642039920_MT.exe

Filesize
655KB

MD5
ef2170ccb225c935e33690c0412b5573

SHA1
ac3ee92aaea356f9a70c6d167ac08e00dd0a7aad

SHA256
939572b13c1805516ee3ffb0f76c147324037a260cdc672317ac7af67bd459a2

SHA512
af9b39f67fd2f1a0b0e5668dd444bbe9eb0848ca64b6c33a0e88ac43669f67f228772dc8726ad3ff5a15afc1ec77c0b9b9af550c4b1813d53f0b96a1fe560f88

Download Submit
C:\Users\Admin\AppData\Roaming\1642039920_MT.exe

Filesize
655KB

MD5
ef2170ccb225c935e33690c0412b5573

SHA1
ac3ee92aaea356f9a70c6d167ac08e00dd0a7aad

SHA256
939572b13c1805516ee3ffb0f76c147324037a260cdc672317ac7af67bd459a2

SHA512
af9b39f67fd2f1a0b0e5668dd444bbe9eb0848ca64b6c33a0e88ac43669f67f228772dc8726ad3ff5a15afc1ec77c0b9b9af550c4b1813d53f0b96a1fe560f88

Download Submit
C:\Users\Admin\AppData\Roaming\lf2020.exe

Filesize
610KB

MD5
858d997329a6f796d201b6e1b048d2d6

SHA1
9b41213b72c6868ef9873b0985dd9dd9e17d041d

SHA256
5946c40881fc9492f0cd910423cd26cd7eefd21599d91356858bc25fc55e2b47

SHA512
c48a553e14596b6a38ae213bc45a2334c5f947dab05cfc5375b0a71083e99fbeb60df3924d5c151efd242408187396ccc5a1c68dabb8056dbd2ef856cfcc362a

Download Submit
C:\Users\Admin\AppData\Roaming\lf2020.exe

Filesize
610KB

MD5
858d997329a6f796d201b6e1b048d2d6

SHA1
9b41213b72c6868ef9873b0985dd9dd9e17d041d

SHA256
5946c40881fc9492f0cd910423cd26cd7eefd21599d91356858bc25fc55e2b47

SHA512
c48a553e14596b6a38ae213bc45a2334c5f947dab05cfc5375b0a71083e99fbeb60df3924d5c151efd242408187396ccc5a1c68dabb8056dbd2ef856cfcc362a

Download Submit
C:\Users\Admin\AppData\Roaming\load.bat

Filesize
43B

MD5
94ed6467cd5bf952dfa0c72a4a48268c

SHA1
4d2d1b0072a95e3cb01fe7408a5aeb1023210c5d

SHA256
4a5f631da42d3ea46dcfb71351b55e0cf716a1c9704f48c0f3a83aa10e26715b

SHA512
0b934f5a249790a41c53d5385f7c9af2fce844acb6c89c1709906658858f1c91d93e11b9c303ee24134cfaf6373dee29950409e58c94655114714e054861177b

Download Submit

Analysis

Sharing