pandastealer | 1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419

General

Target

1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe
Size

2.5MB
MD5

0f38f507ec3a4955583ad8c5befcd2f7
SHA1

645f134676e53ad8eedc1e6a839125b0575bbc2a
SHA256

1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419
SHA512

38c64bd1f9112e4851bcf7aa173bf154b344625731a0a6efb160346fc689f4a3032d490caa2eac2eed56c82a2df69b972e0b98efc608f5a6f6391943c2bd1b21

Score

10^/10

pandastealer spyware stealer vmprotect

Malware Config

Signatures

Panda Stealer Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\6iTigXTUXWg7Q73HAYZ4R\1511528223_MT.exe	family_pandastealer
C:\Users\Admin\AppData\Roaming\6iTigXTUXWg7Q73HAYZ4R\1511528223_MT.exe	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Executes dropped EXE 2 IoCs

Processes:

1511528223_MT.exeCheat_SanyaTop.exe

pid process

4204 1511528223_MT.exe
4812 Cheat_SanyaTop.exe

pid	process
4204	1511528223_MT.exe
4812	Cheat_SanyaTop.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2168-130-0x0000000000DB0000-0x00000000012E1000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/2168-130-0x0000000000DB0000-0x00000000012E1000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe

pid process

2168 1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe1511528223_MT.exeCheat_SanyaTop.exe

pid	process
2168	1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe
2168	1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe
4204	1511528223_MT.exe
4204	1511528223_MT.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe
4812	Cheat_SanyaTop.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Cheat_SanyaTop.exe

description pid process

Token: SeDebugPrivilege 4812 Cheat_SanyaTop.exe

description	pid	process
Token: SeDebugPrivilege	4812	Cheat_SanyaTop.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe

description	pid	process	target process
PID 2168 wrote to memory of 4204	2168	1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe	1511528223_MT.exe
PID 2168 wrote to memory of 4204	2168	1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe	1511528223_MT.exe
PID 2168 wrote to memory of 4204	2168	1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe	1511528223_MT.exe
PID 2168 wrote to memory of 4812	2168	1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe	Cheat_SanyaTop.exe
PID 2168 wrote to memory of 4812	2168	1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe	Cheat_SanyaTop.exe
PID 2168 wrote to memory of 4812	2168	1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe	Cheat_SanyaTop.exe

C:\Users\Admin\AppData\Local\Temp\1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe
"C:\Users\Admin\AppData\Local\Temp\1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Roaming\6iTigXTUXWg7Q73HAYZ4R\1511528223_MT.exe
"C:\Users\Admin\AppData\Roaming\6iTigXTUXWg7Q73HAYZ4R\1511528223_MT.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Users\Admin\AppData\Roaming\6iTigXTUXWg7Q73HAYZ4R\Cheat_SanyaTop.exe
"C:\Users\Admin\AppData\Roaming\6iTigXTUXWg7Q73HAYZ4R\Cheat_SanyaTop.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6iTigXTUXWg7Q73HAYZ4R\1511528223_MT.exe
Filesize
671KB

MD5
d74c75161d26018e4d5084078ec0ead7

SHA1
c00711de9656c381f42ce38f5b9c125b0aab3429

SHA256
c8522600ca1d49c2687bdea95a4d7a661cbbb250789a2bb0434c8917bf2c61c9

SHA512
53a2f147356c564b244647a741ecaf8de08afa089ea9106cd5c2d264c8f39609fe2826f1fbf41a6d2bcb32f92034830ae3b731b694b175ccfbdc5a6453978956

Download Submit
C:\Users\Admin\AppData\Roaming\6iTigXTUXWg7Q73HAYZ4R\1511528223_MT.exe
Filesize
671KB

MD5
d74c75161d26018e4d5084078ec0ead7

SHA1
c00711de9656c381f42ce38f5b9c125b0aab3429

SHA256
c8522600ca1d49c2687bdea95a4d7a661cbbb250789a2bb0434c8917bf2c61c9

SHA512
53a2f147356c564b244647a741ecaf8de08afa089ea9106cd5c2d264c8f39609fe2826f1fbf41a6d2bcb32f92034830ae3b731b694b175ccfbdc5a6453978956

Download Submit
C:\Users\Admin\AppData\Roaming\6iTigXTUXWg7Q73HAYZ4R\Cheat_SanyaTop.exe
Filesize
761KB

MD5
c98771c7a517e4a9cb1e603a115e6c80

SHA1
0154f03560051015cdf49c075961c8144bd65359

SHA256
56924494751713a5c22ada3f11c812a2ecf4957e442fc0bf52194aae4f24c09e

SHA512
c48747fe27708a0b14da7c7007910b5464682947367477378e94d2edcd105eae510bc27eb9ddf9c0820e164b71da297e230d680d9ec6b94948f97d9869a94095

Download Submit
C:\Users\Admin\AppData\Roaming\6iTigXTUXWg7Q73HAYZ4R\Cheat_SanyaTop.exe
Filesize
761KB

MD5
c98771c7a517e4a9cb1e603a115e6c80

SHA1
0154f03560051015cdf49c075961c8144bd65359

SHA256
56924494751713a5c22ada3f11c812a2ecf4957e442fc0bf52194aae4f24c09e

SHA512
c48747fe27708a0b14da7c7007910b5464682947367477378e94d2edcd105eae510bc27eb9ddf9c0820e164b71da297e230d680d9ec6b94948f97d9869a94095

Download Submit
memory/2168-130-0x0000000000DB0000-0x00000000012E1000-memory.dmp

Filesize
5.2MB

Download
memory/4204-132-0x0000000000000000-mapping.dmp

Download
memory/4812-135-0x0000000000000000-mapping.dmp

Download
memory/4812-138-0x0000000000650000-0x0000000000714000-memory.dmp

Filesize
784KB

Download
memory/4812-139-0x0000000005020000-0x0000000005042000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads