pandastealer | 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7

General

Target

73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
Size

5.6MB
MD5

850994426304c5a78d585c0e378c6160
SHA1

ffde6d0419876c305b8d50d89e0375a0e87a7da4
SHA256

73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7
SHA512

40fd58f86ea63fc9a587f9e8907628f2cfcb5322b532249e9a4685b1efd2e3ab064d217f94dabc720500864904ebdf42b96358a410cf345f7a2f61547e9e57ac

Score

10^/10

pandastealer spyware stealer

Malware Config

Signatures

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe

description	pid	process	target process
PID 2052 set thread context of 3556	2052	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe

pid	process
3556	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
3556	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe

description	pid	process	target process
PID 2052 wrote to memory of 3556	2052	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 2052 wrote to memory of 3556	2052	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 2052 wrote to memory of 3556	2052	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 2052 wrote to memory of 3556	2052	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 2052 wrote to memory of 3556	2052	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 2052 wrote to memory of 3556	2052	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 2052 wrote to memory of 3556	2052	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 2052 wrote to memory of 3556	2052	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 2052 wrote to memory of 3556	2052	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
PID 2052 wrote to memory of 3556	2052	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe	73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe

C:\Users\Admin\AppData\Local\Temp\73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
"C:\Users\Admin\AppData\Local\Temp\73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2052

C:\Users\Admin\AppData\Local\Temp\73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
"C:\Users\Admin\AppData\Local\Temp\73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2052-130-0x0000000000160000-0x0000000000700000-memory.dmp

Filesize
5.6MB

Download
memory/2052-131-0x0000000004F10000-0x0000000004FAC000-memory.dmp

Filesize
624KB

Download
memory/2052-132-0x00000000089E0000-0x0000000008F84000-memory.dmp

Filesize
5.6MB

Download
memory/2052-133-0x00000000084D0000-0x0000000008562000-memory.dmp

Filesize
584KB

Download
memory/2052-134-0x0000000008450000-0x000000000845A000-memory.dmp

Filesize
40KB

Download
memory/3556-135-0x0000000000000000-mapping.dmp

Download
memory/3556-136-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3556-137-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3556-138-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3556-139-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3556-140-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads