pandastealer | 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7

General

Target

73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
Size

5.6MB
MD5

850994426304c5a78d585c0e378c6160
SHA1

ffde6d0419876c305b8d50d89e0375a0e87a7da4
SHA256

73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7
SHA512

40fd58f86ea63fc9a587f9e8907628f2cfcb5322b532249e9a4685b1efd2e3ab064d217f94dabc720500864904ebdf42b96358a410cf345f7a2f61547e9e57ac

Score

10^/10

pandastealer spyware stealer

Malware Config

Signatures

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe

description	pid	process	target process
PID 808 set thread context of 1816	808	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe

pid process

1816 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe

pid	process
1816	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe

description	pid	process	target process
PID 808 wrote to memory of 1816	808	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 808 wrote to memory of 1816	808	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 808 wrote to memory of 1816	808	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 808 wrote to memory of 1816	808	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 808 wrote to memory of 1816	808	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 808 wrote to memory of 1816	808	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 808 wrote to memory of 1816	808	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 808 wrote to memory of 1816	808	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 808 wrote to memory of 1816	808	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 808 wrote to memory of 1816	808	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 808 wrote to memory of 1816	808	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe

C:\Users\Admin\AppData\Local\Temp\73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
"C:\Users\Admin\AppData\Local\Temp\73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Local\Temp\73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
"C:\Users\Admin\AppData\Local\Temp\73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/808-54-0x0000000000E00000-0x00000000013A0000-memory.dmp

Filesize
5.6MB

Download
memory/808-55-0x0000000006250000-0x0000000006312000-memory.dmp

Filesize
776KB

Download
memory/1816-56-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1816-57-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1816-59-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1816-61-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1816-63-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1816-64-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1816-66-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1816-67-0x000000000045EA1E-mapping.dmp

Download
memory/1816-69-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1816-70-0x0000000075DE1000-0x0000000075DE3000-memory.dmp

Filesize
8KB

Download
memory/1816-71-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1816-72-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download

Analysis

Sharing