pandastealer | 513b839cea18adfe5cc8f6307dbf2519ab07c6cca7c46508b778150acb88829a

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07-02-2023 08:27

Target

dde995cfb07cbb9bc3f054783cb35461.exe
Size

741KB
MD5

dde995cfb07cbb9bc3f054783cb35461
SHA1

62c8098fd796dbbb1ae38d4e8eaec2bacae64bea
SHA256

513b839cea18adfe5cc8f6307dbf2519ab07c6cca7c46508b778150acb88829a
SHA512

2dcf18699ae9d4a8db786e16a8a450f75dc9de0b5962848250d8c9c0e81ec3eb80efc177794626c1c9971c21306c0a169aff8b9383f8576bc63d1322d568bb25
SSDEEP

12288:s/lF1MbcEK5zByepp5uZpJwPHITFl76WeggtgWwdW1ZdhCEfg7Y1Mh6sP7P3e3:0aIhrpv8GPohoW9gtgDdo/hCEfgTTPu3

Score

10^/10

Panda Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/976-57-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer
behavioral1/memory/976-64-0x000000000045B608-mapping.dmp	family_pandastealer
behavioral1/memory/976-66-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer
behavioral1/memory/976-68-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Suspicious use of SetThreadContext 1 IoCs

Processes:

dde995cfb07cbb9bc3f054783cb35461.exe

description pid process target process

PID 1204 set thread context of 976 1204 dde995cfb07cbb9bc3f054783cb35461.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1248 1204 WerFault.exe dde995cfb07cbb9bc3f054783cb35461.exe

description	pid	process	target process
PID 1204 set thread context of 976	1204	dde995cfb07cbb9bc3f054783cb35461.exe	AppLaunch.exe

pid	pid_target	process	target process
1248	1204	WerFault.exe	dde995cfb07cbb9bc3f054783cb35461.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

dde995cfb07cbb9bc3f054783cb35461.exe

description	pid	process	target process
PID 1204 wrote to memory of 976	1204	dde995cfb07cbb9bc3f054783cb35461.exe	AppLaunch.exe
PID 1204 wrote to memory of 976	1204	dde995cfb07cbb9bc3f054783cb35461.exe	AppLaunch.exe
PID 1204 wrote to memory of 976	1204	dde995cfb07cbb9bc3f054783cb35461.exe	AppLaunch.exe
PID 1204 wrote to memory of 976	1204	dde995cfb07cbb9bc3f054783cb35461.exe	AppLaunch.exe
PID 1204 wrote to memory of 976	1204	dde995cfb07cbb9bc3f054783cb35461.exe	AppLaunch.exe
PID 1204 wrote to memory of 976	1204	dde995cfb07cbb9bc3f054783cb35461.exe	AppLaunch.exe
PID 1204 wrote to memory of 976	1204	dde995cfb07cbb9bc3f054783cb35461.exe	AppLaunch.exe
PID 1204 wrote to memory of 976	1204	dde995cfb07cbb9bc3f054783cb35461.exe	AppLaunch.exe
PID 1204 wrote to memory of 976	1204	dde995cfb07cbb9bc3f054783cb35461.exe	AppLaunch.exe
PID 1204 wrote to memory of 1248	1204	dde995cfb07cbb9bc3f054783cb35461.exe	WerFault.exe
PID 1204 wrote to memory of 1248	1204	dde995cfb07cbb9bc3f054783cb35461.exe	WerFault.exe
PID 1204 wrote to memory of 1248	1204	dde995cfb07cbb9bc3f054783cb35461.exe	WerFault.exe
PID 1204 wrote to memory of 1248	1204	dde995cfb07cbb9bc3f054783cb35461.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\dde995cfb07cbb9bc3f054783cb35461.exe
"C:\Users\Admin\AppData\Local\Temp\dde995cfb07cbb9bc3f054783cb35461.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 36
  2⤵
  - Program crash
  PID:1248

memory/976-55-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/976-57-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/976-64-0x000000000045B608-mapping.dmp

Download
memory/976-66-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/976-68-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1204-54-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/1248-67-0x0000000000000000-mapping.dmp

Download