pandastealer | 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af

General

Target

0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
Size

534KB
MD5

9c228ed564048e4a55675a5f8737343c
SHA1

1372f5eb3f33c2960b0a1ae3e01d171e3544f0ed
SHA256

0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af
SHA512

ff0629ead32c70fb3707c887ac982de001e630e9ea5a029dacc49b0a57213de0da1da66097612b19e692eb6a4bc4ee1f253fb9339439fcf6bd7e3dd3b25320d0
SSDEEP

12288:jSUh1yUg6NkHp7x/FP1WVCYni/dKP6MJpxGnRbbe:jJh1yS67dLUi/Spxqm

Score

10^/10

pandastealer spyware stealer

Malware Config

Signatures

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1516	1112	WerFault.exe	0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
4680	1112	WerFault.exe	0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
4788	1112	WerFault.exe	0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
4764	1112	WerFault.exe	0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
4944	1112	WerFault.exe	0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
4920	1112	WerFault.exe	0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
2172	1112	WerFault.exe	0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
8	1112	WerFault.exe	0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
4244	1112	WerFault.exe	0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
4924	1112	WerFault.exe	0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe

pid	process
1112	0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
1112	0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe

description	pid	process	target process
PID 1112 wrote to memory of 2124	1112	0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe	cmd.exe
PID 1112 wrote to memory of 2124	1112	0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe	cmd.exe
PID 1112 wrote to memory of 2124	1112	0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
"C:\Users\Admin\AppData\Local\Temp\0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 672
2⤵
- Program crash
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 688
2⤵
- Program crash
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 480
2⤵
- Program crash
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 856
2⤵
- Program crash
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 876
2⤵
- Program crash
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 856
2⤵
- Program crash
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 536
2⤵
- Program crash
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1084
2⤵
- Program crash
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1124
2⤵
- Program crash
PID:4244

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C Del /f /q "C:\Users\Admin\AppData\Local\Temp\0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe"
2⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1348
2⤵
- Program crash
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1112 -ip 1112
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1112 -ip 1112
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1112 -ip 1112
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1112 -ip 1112
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1112 -ip 1112
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1112 -ip 1112
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1112 -ip 1112
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1112 -ip 1112
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1112 -ip 1112
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1112 -ip 1112
1⤵
PID:344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-132-0x00000000009E3000-0x0000000000A49000-memory.dmp

Filesize
408KB

Download
memory/1112-133-0x0000000000920000-0x00000000009CE000-memory.dmp

Filesize
696KB

Download
memory/1112-134-0x0000000000400000-0x000000000087F000-memory.dmp

Filesize
4.5MB

Download
memory/1112-135-0x0000000000400000-0x000000000087F000-memory.dmp

Filesize
4.5MB

Download
memory/1112-137-0x0000000000400000-0x000000000087F000-memory.dmp

Filesize
4.5MB

Download
memory/2124-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads