pandastealer | b06b1b4d5a9dddb0d067a38fdf2b3b872d974ce1379c4101ab13aa1a6f143b13

General

Target

26ebf4b16a7b59e42a4bb77818d6fd31.exe
Size

196KB
MD5

26ebf4b16a7b59e42a4bb77818d6fd31
SHA1

3b76faa23a88fa0937eab421e4c8f2c4a8d070f0
SHA256

b06b1b4d5a9dddb0d067a38fdf2b3b872d974ce1379c4101ab13aa1a6f143b13
SHA512

14675781ec3b69d01aafc6fa18d3184b29b3b8c68f90b002f2fe7bfe39f5fdb4fdae7a1fe87c12d10f53c166ea077cb533e997c8d069b67ecb966eda1c97df6a
SSDEEP

3072:dpnVxDLhdvd+kfHkJbWU5TszWKsQ0U99qpz0kDB1sh02qR9wBA:3nVxDLl+Dpf5TYWKsQzbqKkzshALu

Score

10^/10

pandastealer smokeloader backdoor stealer trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4804-133-0x0000000000620000-0x0000000000629000-memory.dmp	family_smokeloader

Panda Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/656-149-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer
behavioral2/memory/656-150-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer
behavioral2/memory/656-151-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer
behavioral2/memory/656-152-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

A587.exeA931.exeAE24.exe

pid process

3176 A587.exe
3460 A931.exe
2960 AE24.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

AE24.exe

description pid process target process

PID 2960 set thread context of 656 2960 AE24.exe InstallUtil.exe

pid	process
3176	A587.exe
3460	A931.exe
2960	AE24.exe

description	pid	process	target process
PID 2960 set thread context of 656	2960	AE24.exe	InstallUtil.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

26ebf4b16a7b59e42a4bb77818d6fd31.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	26ebf4b16a7b59e42a4bb77818d6fd31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	26ebf4b16a7b59e42a4bb77818d6fd31.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	26ebf4b16a7b59e42a4bb77818d6fd31.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

26ebf4b16a7b59e42a4bb77818d6fd31.exe

pid	process
4804	26ebf4b16a7b59e42a4bb77818d6fd31.exe
4804	26ebf4b16a7b59e42a4bb77818d6fd31.exe
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2520
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

26ebf4b16a7b59e42a4bb77818d6fd31.exe

pid process

4804 26ebf4b16a7b59e42a4bb77818d6fd31.exe
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520

pid	process
2520

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2520
Token: SeCreatePagefilePrivilege	2520
Token: SeShutdownPrivilege	2520
Token: SeCreatePagefilePrivilege	2520
Token: SeShutdownPrivilege	2520
Token: SeCreatePagefilePrivilege	2520
Token: SeShutdownPrivilege	2520
Token: SeCreatePagefilePrivilege	2520

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

AE24.exe

description	pid	process	target process
PID 2520 wrote to memory of 3176	2520		A587.exe
PID 2520 wrote to memory of 3176	2520		A587.exe
PID 2520 wrote to memory of 3460	2520		A931.exe
PID 2520 wrote to memory of 3460	2520		A931.exe
PID 2520 wrote to memory of 2960	2520		AE24.exe
PID 2520 wrote to memory of 2960	2520		AE24.exe
PID 2520 wrote to memory of 2960	2520		AE24.exe
PID 2960 wrote to memory of 656	2960	AE24.exe	InstallUtil.exe
PID 2960 wrote to memory of 656	2960	AE24.exe	InstallUtil.exe
PID 2960 wrote to memory of 656	2960	AE24.exe	InstallUtil.exe
PID 2960 wrote to memory of 656	2960	AE24.exe	InstallUtil.exe
PID 2960 wrote to memory of 656	2960	AE24.exe	InstallUtil.exe
PID 2960 wrote to memory of 656	2960	AE24.exe	InstallUtil.exe
PID 2960 wrote to memory of 656	2960	AE24.exe	InstallUtil.exe
PID 2960 wrote to memory of 656	2960	AE24.exe	InstallUtil.exe
PID 2960 wrote to memory of 656	2960	AE24.exe	InstallUtil.exe
PID 2960 wrote to memory of 656	2960	AE24.exe	InstallUtil.exe
PID 2520 wrote to memory of 1152	2520		explorer.exe
PID 2520 wrote to memory of 1152	2520		explorer.exe
PID 2520 wrote to memory of 1152	2520		explorer.exe
PID 2520 wrote to memory of 1152	2520		explorer.exe
PID 2520 wrote to memory of 1708	2520		explorer.exe
PID 2520 wrote to memory of 1708	2520		explorer.exe
PID 2520 wrote to memory of 1708	2520		explorer.exe
PID 2520 wrote to memory of 4192	2520		explorer.exe
PID 2520 wrote to memory of 4192	2520		explorer.exe
PID 2520 wrote to memory of 4192	2520		explorer.exe
PID 2520 wrote to memory of 4192	2520		explorer.exe
PID 2520 wrote to memory of 3256	2520		explorer.exe
PID 2520 wrote to memory of 3256	2520		explorer.exe
PID 2520 wrote to memory of 3256	2520		explorer.exe
PID 2520 wrote to memory of 372	2520		explorer.exe
PID 2520 wrote to memory of 372	2520		explorer.exe
PID 2520 wrote to memory of 372	2520		explorer.exe
PID 2520 wrote to memory of 372	2520		explorer.exe
PID 2520 wrote to memory of 4332	2520		explorer.exe
PID 2520 wrote to memory of 4332	2520		explorer.exe
PID 2520 wrote to memory of 4332	2520		explorer.exe
PID 2520 wrote to memory of 4332	2520		explorer.exe
PID 2520 wrote to memory of 1400	2520		explorer.exe
PID 2520 wrote to memory of 1400	2520		explorer.exe
PID 2520 wrote to memory of 1400	2520		explorer.exe
PID 2520 wrote to memory of 1400	2520		explorer.exe
PID 2520 wrote to memory of 428	2520		explorer.exe
PID 2520 wrote to memory of 428	2520		explorer.exe
PID 2520 wrote to memory of 428	2520		explorer.exe
PID 2520 wrote to memory of 3076	2520		explorer.exe
PID 2520 wrote to memory of 3076	2520		explorer.exe
PID 2520 wrote to memory of 3076	2520		explorer.exe
PID 2520 wrote to memory of 3076	2520		explorer.exe

C:\Users\Admin\AppData\Local\Temp\26ebf4b16a7b59e42a4bb77818d6fd31.exe
"C:\Users\Admin\AppData\Local\Temp\26ebf4b16a7b59e42a4bb77818d6fd31.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4804

C:\Users\Admin\AppData\Local\Temp\A587.exe
C:\Users\Admin\AppData\Local\Temp\A587.exe
1⤵
- Executes dropped EXE
PID:3176

C:\Users\Admin\AppData\Local\Temp\A931.exe
C:\Users\Admin\AppData\Local\Temp\A931.exe
1⤵
- Executes dropped EXE
PID:3460

C:\Users\Admin\AppData\Local\Temp\AE24.exe
C:\Users\Admin\AppData\Local\Temp\AE24.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
PID:656

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1152

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1708

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4192

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3256

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:372

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4332

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1400

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:428

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A587.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\A587.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\A931.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\A931.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE24.exe
Filesize
1.0MB

MD5
a47863a63a1fc5ed2ff15ec362212778

SHA1
6e28be0dc0a3fc248ce4d04856705fce9c23b977

SHA256
f25844c12c72e3f984cc6afef123e01d7b2ab1d1955f1408fd86f8403a79c570

SHA512
9f056168558cf37ac10d5fea9e86dd9bc09ae7ce3f158c7f66f5f6c63b461b88f10a5917d99cfad3b0d6f98e8b4657a558f2e28240a70d7e19bfd94d3244ae22

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE24.exe
Filesize
1.0MB

MD5
a47863a63a1fc5ed2ff15ec362212778

SHA1
6e28be0dc0a3fc248ce4d04856705fce9c23b977

SHA256
f25844c12c72e3f984cc6afef123e01d7b2ab1d1955f1408fd86f8403a79c570

SHA512
9f056168558cf37ac10d5fea9e86dd9bc09ae7ce3f158c7f66f5f6c63b461b88f10a5917d99cfad3b0d6f98e8b4657a558f2e28240a70d7e19bfd94d3244ae22

Download Submit
memory/372-184-0x0000000000DC0000-0x0000000000DE2000-memory.dmp

Filesize
136KB

Download
memory/372-167-0x0000000000D90000-0x0000000000DB7000-memory.dmp

Filesize
156KB

Download
memory/372-166-0x0000000000DC0000-0x0000000000DE2000-memory.dmp

Filesize
136KB

Download
memory/372-165-0x0000000000000000-mapping.dmp

Download
memory/428-176-0x0000000000F20000-0x0000000000F2D000-memory.dmp

Filesize
52KB

Download
memory/428-187-0x0000000000F30000-0x0000000000F37000-memory.dmp

Filesize
28KB

Download
memory/428-175-0x0000000000F30000-0x0000000000F37000-memory.dmp

Filesize
28KB

Download
memory/428-174-0x0000000000000000-mapping.dmp

Download
memory/656-151-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/656-152-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/656-148-0x0000000000000000-mapping.dmp

Download
memory/656-149-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/656-150-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1152-154-0x0000000000ED0000-0x0000000000ED7000-memory.dmp

Filesize
28KB

Download
memory/1152-153-0x0000000000000000-mapping.dmp

Download
memory/1152-156-0x0000000000EC0000-0x0000000000ECB000-memory.dmp

Filesize
44KB

Download
memory/1152-180-0x0000000000ED0000-0x0000000000ED7000-memory.dmp

Filesize
28KB

Download
memory/1400-171-0x0000000000000000-mapping.dmp

Download
memory/1400-172-0x00000000016A0000-0x00000000016A6000-memory.dmp

Filesize
24KB

Download
memory/1400-173-0x0000000001690000-0x000000000169B000-memory.dmp

Filesize
44KB

Download
memory/1400-186-0x00000000016A0000-0x00000000016A6000-memory.dmp

Filesize
24KB

Download
memory/1708-181-0x00000000010D0000-0x00000000010D9000-memory.dmp

Filesize
36KB

Download
memory/1708-159-0x00000000010C0000-0x00000000010CF000-memory.dmp

Filesize
60KB

Download
memory/1708-158-0x00000000010D0000-0x00000000010D9000-memory.dmp

Filesize
36KB

Download
memory/1708-155-0x0000000000000000-mapping.dmp

Download
memory/2960-145-0x0000000000000000-mapping.dmp

Download
memory/3076-179-0x0000000000E60000-0x0000000000E6B000-memory.dmp

Filesize
44KB

Download
memory/3076-178-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/3076-177-0x0000000000000000-mapping.dmp

Download
memory/3076-188-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/3176-139-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/3176-136-0x0000000000000000-mapping.dmp

Download
memory/3176-140-0x00007FF82EF80000-0x00007FF82FA41000-memory.dmp

Filesize
10.8MB

Download
memory/3256-161-0x0000000000000000-mapping.dmp

Download
memory/3256-164-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/3256-183-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/3256-163-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/3460-141-0x0000000000000000-mapping.dmp

Download
memory/3460-144-0x00007FF82EF80000-0x00007FF82FA41000-memory.dmp

Filesize
10.8MB

Download
memory/4192-162-0x0000000000720000-0x0000000000725000-memory.dmp

Filesize
20KB

Download
memory/4192-160-0x0000000000710000-0x0000000000719000-memory.dmp

Filesize
36KB

Download
memory/4192-182-0x0000000000720000-0x0000000000725000-memory.dmp

Filesize
20KB

Download
memory/4192-157-0x0000000000000000-mapping.dmp

Download
memory/4332-170-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/4332-185-0x00000000004B0000-0x00000000004B5000-memory.dmp

Filesize
20KB

Download
memory/4332-168-0x0000000000000000-mapping.dmp

Download
memory/4332-169-0x00000000004B0000-0x00000000004B5000-memory.dmp

Filesize
20KB

Download
memory/4804-134-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/4804-133-0x0000000000620000-0x0000000000629000-memory.dmp

Filesize
36KB

Download
memory/4804-135-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/4804-132-0x000000000083C000-0x0000000000851000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads