Analysis
-
max time kernel
75s -
max time network
86s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-05-2022 21:31
Static task
static1
Behavioral task
behavioral1
Sample
34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe
Resource
win10v2004-20220414-en
General
-
Target
34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe
-
Size
5.0MB
-
MD5
69ef826f3d9a3aca327e938327d91644
-
SHA1
43e9c02b386564fb46425feaf5e7a29096c01f0d
-
SHA256
34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789
-
SHA512
93457365d0ab55d3de9828d98f411dbe1c3435c25ecf16f92d0a6b9e9028ee4a1b896101d042eef486759b935abb99ea1f93607764e184adc84d0825e675013d
Malware Config
Signatures
-
Panda Stealer Payload 7 IoCs
resource yara_rule behavioral1/memory/1524-62-0x0000000000400000-0x00000000004AF000-memory.dmp family_pandastealer behavioral1/memory/1524-64-0x0000000000400000-0x00000000004AF000-memory.dmp family_pandastealer behavioral1/memory/1524-65-0x0000000000400000-0x00000000004AF000-memory.dmp family_pandastealer behavioral1/memory/1524-67-0x0000000000400000-0x00000000004AF000-memory.dmp family_pandastealer behavioral1/memory/1524-68-0x000000000045E27E-mapping.dmp family_pandastealer behavioral1/memory/1524-70-0x0000000000400000-0x00000000004AF000-memory.dmp family_pandastealer behavioral1/memory/1524-71-0x0000000000400000-0x00000000004AF000-memory.dmp family_pandastealer -
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1972 set thread context of 1524 1972 34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe 27 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1524 34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1972 wrote to memory of 1524 1972 34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe 27 PID 1972 wrote to memory of 1524 1972 34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe 27 PID 1972 wrote to memory of 1524 1972 34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe 27 PID 1972 wrote to memory of 1524 1972 34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe 27 PID 1972 wrote to memory of 1524 1972 34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe 27 PID 1972 wrote to memory of 1524 1972 34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe 27 PID 1972 wrote to memory of 1524 1972 34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe 27 PID 1972 wrote to memory of 1524 1972 34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe 27 PID 1972 wrote to memory of 1524 1972 34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe 27 PID 1972 wrote to memory of 1524 1972 34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe 27 PID 1972 wrote to memory of 1524 1972 34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe"C:\Users\Admin\AppData\Local\Temp\34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe"C:\Users\Admin\AppData\Local\Temp\34aa8ab1fdfbb0507d22838b8f618704efef899694d494b00dcc1a315fa86789.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1524
-