pandastealer | 60a9b2c51e2cc25003cb1edc5698e0aa7f1081f874648459fc3dc672c2e36224

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2023 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60a9b2c51e2cc25003cb1edc5698e0aa7f1081f874648459fc3dc672c2e36224.exe
Size

228KB
MD5

dd450b8cd29046444f8181570fd8901f
SHA1

4d56d35a3a300aef08eb65467f4e7287286e161a
SHA256

60a9b2c51e2cc25003cb1edc5698e0aa7f1081f874648459fc3dc672c2e36224
SHA512

e81bed9347ec9a0c2ab7f76c191c45bfc80f8927b721b81e00ad7145be826aef0ac0eb15c5627ad670fbb5b84ee40b83a28f8fa20b2f3deedf3ebd49ea475f32
SSDEEP

6144:yRkoaLZh5lx6O2pq5KpdYf32I6q4ns4H2:yRfalh569ZU32Xh2

Score

10^/10

pandastealer smokeloader backdoor stealer trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5100-133-0x0000000002350000-0x0000000002359000-memory.dmp	family_smokeloader

Panda Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2168-149-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer
behavioral1/memory/2168-150-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer
behavioral1/memory/2168-151-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer
behavioral1/memory/2168-153-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

F1F6.exeF756.exeFE5C.exe

pid process

3616 F1F6.exe
4980 F756.exe
4840 FE5C.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

FE5C.exe

description pid process target process

PID 4840 set thread context of 2168 4840 FE5C.exe InstallUtil.exe

pid	process
3616	F1F6.exe
4980	F756.exe
4840	FE5C.exe

description	pid	process	target process
PID 4840 set thread context of 2168	4840	FE5C.exe	InstallUtil.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

60a9b2c51e2cc25003cb1edc5698e0aa7f1081f874648459fc3dc672c2e36224.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	60a9b2c51e2cc25003cb1edc5698e0aa7f1081f874648459fc3dc672c2e36224.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	60a9b2c51e2cc25003cb1edc5698e0aa7f1081f874648459fc3dc672c2e36224.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	60a9b2c51e2cc25003cb1edc5698e0aa7f1081f874648459fc3dc672c2e36224.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

60a9b2c51e2cc25003cb1edc5698e0aa7f1081f874648459fc3dc672c2e36224.exe

pid	process
5100	60a9b2c51e2cc25003cb1edc5698e0aa7f1081f874648459fc3dc672c2e36224.exe
5100	60a9b2c51e2cc25003cb1edc5698e0aa7f1081f874648459fc3dc672c2e36224.exe
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

684
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

60a9b2c51e2cc25003cb1edc5698e0aa7f1081f874648459fc3dc672c2e36224.exe

pid process

5100 60a9b2c51e2cc25003cb1edc5698e0aa7f1081f874648459fc3dc672c2e36224.exe
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684

pid	process
684

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	684
Token: SeCreatePagefilePrivilege	684
Token: SeShutdownPrivilege	684
Token: SeCreatePagefilePrivilege	684
Token: SeShutdownPrivilege	684
Token: SeCreatePagefilePrivilege	684
Token: SeShutdownPrivilege	684
Token: SeCreatePagefilePrivilege	684
Token: SeShutdownPrivilege	684
Token: SeCreatePagefilePrivilege	684

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

FE5C.exe

description	pid	process	target process
PID 684 wrote to memory of 3616	684		F1F6.exe
PID 684 wrote to memory of 3616	684		F1F6.exe
PID 684 wrote to memory of 4980	684		F756.exe
PID 684 wrote to memory of 4980	684		F756.exe
PID 684 wrote to memory of 4840	684		FE5C.exe
PID 684 wrote to memory of 4840	684		FE5C.exe
PID 684 wrote to memory of 4840	684		FE5C.exe
PID 4840 wrote to memory of 2168	4840	FE5C.exe	InstallUtil.exe
PID 4840 wrote to memory of 2168	4840	FE5C.exe	InstallUtil.exe
PID 4840 wrote to memory of 2168	4840	FE5C.exe	InstallUtil.exe
PID 4840 wrote to memory of 2168	4840	FE5C.exe	InstallUtil.exe
PID 4840 wrote to memory of 2168	4840	FE5C.exe	InstallUtil.exe
PID 4840 wrote to memory of 2168	4840	FE5C.exe	InstallUtil.exe
PID 4840 wrote to memory of 2168	4840	FE5C.exe	InstallUtil.exe
PID 4840 wrote to memory of 2168	4840	FE5C.exe	InstallUtil.exe
PID 4840 wrote to memory of 2168	4840	FE5C.exe	InstallUtil.exe
PID 4840 wrote to memory of 2168	4840	FE5C.exe	InstallUtil.exe
PID 684 wrote to memory of 2812	684		explorer.exe
PID 684 wrote to memory of 2812	684		explorer.exe
PID 684 wrote to memory of 2812	684		explorer.exe
PID 684 wrote to memory of 2812	684		explorer.exe
PID 684 wrote to memory of 2432	684		explorer.exe
PID 684 wrote to memory of 2432	684		explorer.exe
PID 684 wrote to memory of 2432	684		explorer.exe
PID 684 wrote to memory of 884	684		explorer.exe
PID 684 wrote to memory of 884	684		explorer.exe
PID 684 wrote to memory of 884	684		explorer.exe
PID 684 wrote to memory of 884	684		explorer.exe
PID 684 wrote to memory of 752	684		explorer.exe
PID 684 wrote to memory of 752	684		explorer.exe
PID 684 wrote to memory of 752	684		explorer.exe
PID 684 wrote to memory of 4584	684		explorer.exe
PID 684 wrote to memory of 4584	684		explorer.exe
PID 684 wrote to memory of 4584	684		explorer.exe
PID 684 wrote to memory of 4584	684		explorer.exe
PID 684 wrote to memory of 4552	684		explorer.exe
PID 684 wrote to memory of 4552	684		explorer.exe
PID 684 wrote to memory of 4552	684		explorer.exe
PID 684 wrote to memory of 4552	684		explorer.exe
PID 684 wrote to memory of 4652	684		explorer.exe
PID 684 wrote to memory of 4652	684		explorer.exe
PID 684 wrote to memory of 4652	684		explorer.exe
PID 684 wrote to memory of 4652	684		explorer.exe
PID 684 wrote to memory of 4612	684		explorer.exe
PID 684 wrote to memory of 4612	684		explorer.exe
PID 684 wrote to memory of 4612	684		explorer.exe
PID 684 wrote to memory of 1224	684		explorer.exe
PID 684 wrote to memory of 1224	684		explorer.exe
PID 684 wrote to memory of 1224	684		explorer.exe
PID 684 wrote to memory of 1224	684		explorer.exe

C:\Users\Admin\AppData\Local\Temp\60a9b2c51e2cc25003cb1edc5698e0aa7f1081f874648459fc3dc672c2e36224.exe
"C:\Users\Admin\AppData\Local\Temp\60a9b2c51e2cc25003cb1edc5698e0aa7f1081f874648459fc3dc672c2e36224.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5100

C:\Users\Admin\AppData\Local\Temp\F1F6.exe
C:\Users\Admin\AppData\Local\Temp\F1F6.exe
1⤵
- Executes dropped EXE
PID:3616

C:\Users\Admin\AppData\Local\Temp\F756.exe
C:\Users\Admin\AppData\Local\Temp\F756.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Users\Admin\AppData\Local\Temp\FE5C.exe
C:\Users\Admin\AppData\Local\Temp\FE5C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:2168

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2812

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2432

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:884

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:752

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4584

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4552

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4652

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4612

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F1F6.exe

Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1F6.exe

Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\F756.exe

Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\F756.exe

Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE5C.exe

Filesize
1.6MB

MD5
5e90d194f2ea7c8fdbbdd2e92a27cc86

SHA1
77a386f998234404c0107238ae6990a18795c842

SHA256
a23d3de62c296400d288e7e4457162ccc8cc8c4936f3e59fc4ceb6ca137a3db1

SHA512
c26175e17645947bf6b73610a3d1c36d4669fc3ff5d5ed7792c9c8e066fa7d0f9168c071cae0210c67cdd8165259f440ce8ce0e2128a09a1ffd140134cd57f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE5C.exe

Filesize
1.6MB

MD5
5e90d194f2ea7c8fdbbdd2e92a27cc86

SHA1
77a386f998234404c0107238ae6990a18795c842

SHA256
a23d3de62c296400d288e7e4457162ccc8cc8c4936f3e59fc4ceb6ca137a3db1

SHA512
c26175e17645947bf6b73610a3d1c36d4669fc3ff5d5ed7792c9c8e066fa7d0f9168c071cae0210c67cdd8165259f440ce8ce0e2128a09a1ffd140134cd57f39

Download Submit
memory/752-183-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/752-163-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/752-164-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/752-162-0x0000000000000000-mapping.dmp

Download
memory/884-160-0x00000000006C0000-0x00000000006C5000-memory.dmp

Filesize
20KB

Download
memory/884-159-0x0000000000000000-mapping.dmp

Download
memory/884-161-0x00000000006B0000-0x00000000006B9000-memory.dmp

Filesize
36KB

Download
memory/884-182-0x00000000006C0000-0x00000000006C5000-memory.dmp

Filesize
20KB

Download
memory/1224-188-0x0000000000150000-0x0000000000158000-memory.dmp

Filesize
32KB

Download
memory/1224-177-0x0000000000000000-mapping.dmp

Download
memory/1224-178-0x0000000000150000-0x0000000000158000-memory.dmp

Filesize
32KB

Download
memory/1224-179-0x0000000000140000-0x000000000014B000-memory.dmp

Filesize
44KB

Download
memory/2168-148-0x0000000000000000-mapping.dmp

Download
memory/2168-150-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2168-153-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2168-151-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2168-149-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2432-181-0x0000000000ED0000-0x0000000000ED9000-memory.dmp

Filesize
36KB

Download
memory/2432-154-0x0000000000000000-mapping.dmp

Download
memory/2432-157-0x0000000000ED0000-0x0000000000ED9000-memory.dmp

Filesize
36KB

Download
memory/2432-158-0x0000000000EC0000-0x0000000000ECF000-memory.dmp

Filesize
60KB

Download
memory/2812-155-0x0000000000710000-0x0000000000717000-memory.dmp

Filesize
28KB

Download
memory/2812-156-0x0000000000700000-0x000000000070B000-memory.dmp

Filesize
44KB

Download
memory/2812-180-0x0000000000710000-0x0000000000717000-memory.dmp

Filesize
28KB

Download
memory/2812-152-0x0000000000000000-mapping.dmp

Download
memory/3616-136-0x0000000000000000-mapping.dmp

Download
memory/3616-139-0x0000000000750000-0x0000000000758000-memory.dmp

Filesize
32KB

Download
memory/3616-140-0x00007FFE1BDB0000-0x00007FFE1C871000-memory.dmp

Filesize
10.8MB

Download
memory/4552-170-0x00000000012B0000-0x00000000012B9000-memory.dmp

Filesize
36KB

Download
memory/4552-185-0x00000000012C0000-0x00000000012C5000-memory.dmp

Filesize
20KB

Download
memory/4552-168-0x0000000000000000-mapping.dmp

Download
memory/4552-169-0x00000000012C0000-0x00000000012C5000-memory.dmp

Filesize
20KB

Download
memory/4584-165-0x0000000000000000-mapping.dmp

Download
memory/4584-184-0x0000000000680000-0x00000000006A2000-memory.dmp

Filesize
136KB

Download
memory/4584-166-0x0000000000680000-0x00000000006A2000-memory.dmp

Filesize
136KB

Download
memory/4584-167-0x0000000000200000-0x0000000000227000-memory.dmp

Filesize
156KB

Download
memory/4612-174-0x0000000000000000-mapping.dmp

Download
memory/4612-175-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/4612-176-0x0000000000170000-0x000000000017D000-memory.dmp

Filesize
52KB

Download
memory/4612-187-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/4652-173-0x0000000001050000-0x000000000105B000-memory.dmp

Filesize
44KB

Download
memory/4652-172-0x0000000001060000-0x0000000001066000-memory.dmp

Filesize
24KB

Download
memory/4652-171-0x0000000000000000-mapping.dmp

Download
memory/4652-186-0x0000000001060000-0x0000000001066000-memory.dmp

Filesize
24KB

Download
memory/4840-145-0x0000000000000000-mapping.dmp

Download
memory/4980-141-0x0000000000000000-mapping.dmp

Download
memory/4980-144-0x00007FFE1BDB0000-0x00007FFE1C871000-memory.dmp

Filesize
10.8MB

Download
memory/5100-133-0x0000000002350000-0x0000000002359000-memory.dmp

Filesize
36KB

Download
memory/5100-132-0x00000000008BC000-0x00000000008D1000-memory.dmp

Filesize
84KB

Download
memory/5100-135-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5100-134-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download