Analysis
-
max time kernel
132s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 18:01
Static task
static1
Behavioral task
behavioral1
Sample
0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
Resource
win10v2004-20220812-en
General
-
Target
0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
-
Size
534KB
-
MD5
9c228ed564048e4a55675a5f8737343c
-
SHA1
1372f5eb3f33c2960b0a1ae3e01d171e3544f0ed
-
SHA256
0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af
-
SHA512
ff0629ead32c70fb3707c887ac982de001e630e9ea5a029dacc49b0a57213de0da1da66097612b19e692eb6a4bc4ee1f253fb9339439fcf6bd7e3dd3b25320d0
-
SSDEEP
12288:jSUh1yUg6NkHp7x/FP1WVCYni/dKP6MJpxGnRbbe:jJh1yS67dLUi/Spxqm
Malware Config
Signatures
-
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Program crash 10 IoCs
pid pid_target Process procid_target 1516 1112 WerFault.exe 79 4680 1112 WerFault.exe 79 4788 1112 WerFault.exe 79 4764 1112 WerFault.exe 79 4944 1112 WerFault.exe 79 4920 1112 WerFault.exe 79 2172 1112 WerFault.exe 79 8 1112 WerFault.exe 79 4244 1112 WerFault.exe 79 4924 1112 WerFault.exe 79 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1112 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe 1112 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1112 wrote to memory of 2124 1112 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe 99 PID 1112 wrote to memory of 2124 1112 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe 99 PID 1112 wrote to memory of 2124 1112 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe"C:\Users\Admin\AppData\Local\Temp\0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 6722⤵
- Program crash
PID:1516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 6882⤵
- Program crash
PID:4680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 4802⤵
- Program crash
PID:4788
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 8562⤵
- Program crash
PID:4764
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 8762⤵
- Program crash
PID:4944
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 8562⤵
- Program crash
PID:4920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 5362⤵
- Program crash
PID:2172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 10842⤵
- Program crash
PID:8
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 11242⤵
- Program crash
PID:4244
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C Del /f /q "C:\Users\Admin\AppData\Local\Temp\0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe"2⤵PID:2124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 13482⤵
- Program crash
PID:4924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1112 -ip 11121⤵PID:4104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1112 -ip 11121⤵PID:2284
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1112 -ip 11121⤵PID:4820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1112 -ip 11121⤵PID:4804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1112 -ip 11121⤵PID:2200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1112 -ip 11121⤵PID:4256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1112 -ip 11121⤵PID:1544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1112 -ip 11121⤵PID:1884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1112 -ip 11121⤵PID:556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1112 -ip 11121⤵PID:344