pandastealer | eb977a803d155ea25837fa400dff81e8336746e6ed9f563cfaee92a544104705

Analysis

max time kernel
148s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
09-06-2022 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost.exe
Size

1.4MB
MD5

f86af47d52c3cd035c137d3a3097d06f
SHA1

5ec629884fea63bb82e2dffa441dca353d5f80e4
SHA256

eb977a803d155ea25837fa400dff81e8336746e6ed9f563cfaee92a544104705
SHA512

5f39928faa0fb04f2abc80565eea16d3522073768e5acf729619a8d0cc549199826193b2eef1eb8d5dd0c664461522748c5b2c1c3568ffb0a0b851ec29ffc04e

Score

10^/10

pandastealer spyware stealer

Malware Config

Extracted

Family

pandastealer

Version

1.11

http://asdqwezxc.ru.xsph.ru

Signatures

Panda Stealer Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2068-134-0x0000000000D80000-0x0000000001197000-memory.dmp	family_pandastealer
behavioral2/memory/2068-135-0x0000000000D80000-0x0000000001197000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

svchost.exe

pid process

2068 svchost.exe
2068 svchost.exe
2068 svchost.exe
2068 svchost.exe
2068 svchost.exe
2068 svchost.exe
2068 svchost.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

svchost.exe

pid process

2068 svchost.exe
2068 svchost.exe
2068 svchost.exe
2068 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

2068 svchost.exe

pid	process
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe

pid	process
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe

pid	process
2068	svchost.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2068-130-0x0000000000D80000-0x0000000001197000-memory.dmp

Filesize
4.1MB

Download
memory/2068-131-0x0000000000D80000-0x0000000001197000-memory.dmp

Filesize
4.1MB

Download
memory/2068-132-0x0000000000D80000-0x0000000001197000-memory.dmp

Filesize
4.1MB

Download
memory/2068-133-0x0000000000D80000-0x0000000001197000-memory.dmp

Filesize
4.1MB

Download
memory/2068-134-0x0000000000D80000-0x0000000001197000-memory.dmp

Filesize
4.1MB

Download
memory/2068-135-0x0000000000D80000-0x0000000001197000-memory.dmp

Filesize
4.1MB

Download