pandastealer | 1deff3018628c28bea0312b3e126a2138a934edec119134e3a6cca7bb0aefa5e

Resubmissions

27-02-2023 17:20

230227-vww2dseg95 10

27-02-2023 17:14

230227-vrzlqaee6t 10

Analysis

max time kernel
142s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-02-2023 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

000165.exe
Size

1.9MB
MD5

ba7115a88a1f3f2abcbcbb40e9093505
SHA1

57b57c3b158055925979b7154326a1b8ecda03f4
SHA256

1deff3018628c28bea0312b3e126a2138a934edec119134e3a6cca7bb0aefa5e
SHA512

3d2d9cf68dea8bb4e5234b396f6e9e67e79cbd196ce640cb936a8a415c9b37cae9e9989f4b272b295f47fd65a32d92423e63abe30045bc12885db0ba249e4330
SSDEEP

49152:ABRAIJEM7Y4c8qOwlYb6pJL89eHWQQPlZlJ7:aLh73EmbKp89KhClZ/

Score

10^/10

pandastealer stealer

Malware Config

Signatures

Panda Stealer payload 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1748-91-0x00000000000B0000-0x00000000004BA000-memory.dmp	family_pandastealer
behavioral1/memory/1748-92-0x00000000000B0000-0x00000000004BA000-memory.dmp	family_pandastealer
behavioral1/memory/1748-93-0x00000000000B0000-0x00000000004BA000-memory.dmp	family_pandastealer
behavioral1/memory/1748-94-0x00000000000B0000-0x00000000004BA000-memory.dmp	family_pandastealer
behavioral1/memory/1748-95-0x00000000000B0000-0x00000000004BA000-memory.dmp	family_pandastealer
behavioral1/memory/1748-96-0x00000000000B0000-0x00000000004BA000-memory.dmp	family_pandastealer
behavioral1/memory/1748-97-0x00000000000B0000-0x00000000004BA000-memory.dmp	family_pandastealer
behavioral1/memory/1748-98-0x00000000000B0000-0x00000000004BA000-memory.dmp	family_pandastealer
behavioral1/memory/1748-99-0x00000000000B0000-0x00000000004BA000-memory.dmp	family_pandastealer
behavioral1/memory/1748-100-0x00000000000B0000-0x00000000004BA000-memory.dmp	family_pandastealer
behavioral1/memory/1748-101-0x00000000000B0000-0x00000000004BA000-memory.dmp	family_pandastealer
behavioral1/memory/1748-102-0x00000000000B0000-0x00000000004BA000-memory.dmp	family_pandastealer
behavioral1/memory/1748-103-0x00000000000B0000-0x00000000004BA000-memory.dmp	family_pandastealer
behavioral1/memory/1748-104-0x00000000000B0000-0x00000000004BA000-memory.dmp	family_pandastealer
behavioral1/memory/1748-105-0x00000000000B0000-0x00000000004BA000-memory.dmp	family_pandastealer
behavioral1/memory/1748-106-0x00000000000B0000-0x00000000004BA000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Executes dropped EXE 2 IoCs

Processes:

work.exedwarg.exe

pid process

460 work.exe
1748 dwarg.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exework.exe

pid process

1312 cmd.exe
460 work.exe
460 work.exe
460 work.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

dwarg.exe

pid process

1748 dwarg.exe
1748 dwarg.exe
1748 dwarg.exe
1748 dwarg.exe
1748 dwarg.exe
1748 dwarg.exe
1748 dwarg.exe
1748 dwarg.exe
1748 dwarg.exe
1748 dwarg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dwarg.exe

pid process

1748 dwarg.exe

pid	process
460	work.exe
1748	dwarg.exe

pid	process
1312	cmd.exe
460	work.exe
460	work.exe
460	work.exe

pid	process
1748	dwarg.exe
1748	dwarg.exe
1748	dwarg.exe
1748	dwarg.exe
1748	dwarg.exe
1748	dwarg.exe
1748	dwarg.exe
1748	dwarg.exe
1748	dwarg.exe
1748	dwarg.exe

pid	process
1748	dwarg.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

000165.execmd.exework.exe

description	pid	process	target process
PID 1308 wrote to memory of 1312	1308	000165.exe	cmd.exe
PID 1308 wrote to memory of 1312	1308	000165.exe	cmd.exe
PID 1308 wrote to memory of 1312	1308	000165.exe	cmd.exe
PID 1308 wrote to memory of 1312	1308	000165.exe	cmd.exe
PID 1312 wrote to memory of 460	1312	cmd.exe	work.exe
PID 1312 wrote to memory of 460	1312	cmd.exe	work.exe
PID 1312 wrote to memory of 460	1312	cmd.exe	work.exe
PID 1312 wrote to memory of 460	1312	cmd.exe	work.exe
PID 460 wrote to memory of 1748	460	work.exe	dwarg.exe
PID 460 wrote to memory of 1748	460	work.exe	dwarg.exe
PID 460 wrote to memory of 1748	460	work.exe	dwarg.exe
PID 460 wrote to memory of 1748	460	work.exe	dwarg.exe

C:\Users\Admin\AppData\Local\Temp\000165.exe
"C:\Users\Admin\AppData\Local\Temp\000165.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:460

C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwarg.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwarg.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1748

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
Filesize
1.7MB

MD5
16ae950fa8755ba3792c3c2a9acd1f01

SHA1
a9c6563a0ed440cda17f3c7db420cd27b3fcab5b

SHA256
b5166ba06d9d93c73efeaadde520001bbe3cc6fad56b9c1cdfb1303609cafb6f

SHA512
3e032d82e07e1fca62ef6ee6292295761ccd2066f44c2e43e73237e4c3492ecdb919e277f5d8e84d0d25fd7bbe25e0af20bcb4b89f0bc588b08a704fbefec8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
Filesize
1.7MB

MD5
16ae950fa8755ba3792c3c2a9acd1f01

SHA1
a9c6563a0ed440cda17f3c7db420cd27b3fcab5b

SHA256
b5166ba06d9d93c73efeaadde520001bbe3cc6fad56b9c1cdfb1303609cafb6f

SHA512
3e032d82e07e1fca62ef6ee6292295761ccd2066f44c2e43e73237e4c3492ecdb919e277f5d8e84d0d25fd7bbe25e0af20bcb4b89f0bc588b08a704fbefec8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwarg.exe
Filesize
1.4MB

MD5
18f763a122078328f748e6865f813967

SHA1
839c148beb6a144330d3690a1831cee004a64b2b

SHA256
e438b9bde4c5d29c463a697ebcf0480bd69fe775c11ebe38628262e6e0520b9d

SHA512
fdb9728af46f057dfc181471ce8e586f3afa0f3e85ed7512f06f3982e3789399b377aee3e23dfc0cae5f3e82b13350f5ae024231540d5b26ff0b25ae4ca52fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwarg.exe
Filesize
1.4MB

MD5
18f763a122078328f748e6865f813967

SHA1
839c148beb6a144330d3690a1831cee004a64b2b

SHA256
e438b9bde4c5d29c463a697ebcf0480bd69fe775c11ebe38628262e6e0520b9d

SHA512
fdb9728af46f057dfc181471ce8e586f3afa0f3e85ed7512f06f3982e3789399b377aee3e23dfc0cae5f3e82b13350f5ae024231540d5b26ff0b25ae4ca52fbe

Download Submit
\??\c:\users\admin\appdata\local\temp\rarsfx1\dwarg.exe
Filesize
1.4MB

MD5
18f763a122078328f748e6865f813967

SHA1
839c148beb6a144330d3690a1831cee004a64b2b

SHA256
e438b9bde4c5d29c463a697ebcf0480bd69fe775c11ebe38628262e6e0520b9d

SHA512
fdb9728af46f057dfc181471ce8e586f3afa0f3e85ed7512f06f3982e3789399b377aee3e23dfc0cae5f3e82b13350f5ae024231540d5b26ff0b25ae4ca52fbe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
Filesize
1.7MB

MD5
16ae950fa8755ba3792c3c2a9acd1f01

SHA1
a9c6563a0ed440cda17f3c7db420cd27b3fcab5b

SHA256
b5166ba06d9d93c73efeaadde520001bbe3cc6fad56b9c1cdfb1303609cafb6f

SHA512
3e032d82e07e1fca62ef6ee6292295761ccd2066f44c2e43e73237e4c3492ecdb919e277f5d8e84d0d25fd7bbe25e0af20bcb4b89f0bc588b08a704fbefec8bd

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\dwarg.exe
Filesize
1.4MB

MD5
18f763a122078328f748e6865f813967

SHA1
839c148beb6a144330d3690a1831cee004a64b2b

SHA256
e438b9bde4c5d29c463a697ebcf0480bd69fe775c11ebe38628262e6e0520b9d

SHA512
fdb9728af46f057dfc181471ce8e586f3afa0f3e85ed7512f06f3982e3789399b377aee3e23dfc0cae5f3e82b13350f5ae024231540d5b26ff0b25ae4ca52fbe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\dwarg.exe
Filesize
1.4MB

MD5
18f763a122078328f748e6865f813967

SHA1
839c148beb6a144330d3690a1831cee004a64b2b

SHA256
e438b9bde4c5d29c463a697ebcf0480bd69fe775c11ebe38628262e6e0520b9d

SHA512
fdb9728af46f057dfc181471ce8e586f3afa0f3e85ed7512f06f3982e3789399b377aee3e23dfc0cae5f3e82b13350f5ae024231540d5b26ff0b25ae4ca52fbe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\dwarg.exe
Filesize
1.4MB

MD5
18f763a122078328f748e6865f813967

SHA1
839c148beb6a144330d3690a1831cee004a64b2b

SHA256
e438b9bde4c5d29c463a697ebcf0480bd69fe775c11ebe38628262e6e0520b9d

SHA512
fdb9728af46f057dfc181471ce8e586f3afa0f3e85ed7512f06f3982e3789399b377aee3e23dfc0cae5f3e82b13350f5ae024231540d5b26ff0b25ae4ca52fbe

Download Submit
memory/460-90-0x0000000003660000-0x0000000003A6A000-memory.dmp

Filesize
4.0MB

Download
memory/1748-92-0x00000000000B0000-0x00000000004BA000-memory.dmp

Filesize
4.0MB

Download
memory/1748-99-0x00000000000B0000-0x00000000004BA000-memory.dmp

Filesize
4.0MB

Download
memory/1748-88-0x00000000000B0000-0x00000000004BA000-memory.dmp

Filesize
4.0MB

Download
memory/1748-93-0x00000000000B0000-0x00000000004BA000-memory.dmp

Filesize
4.0MB

Download
memory/1748-94-0x00000000000B0000-0x00000000004BA000-memory.dmp

Filesize
4.0MB

Download
memory/1748-95-0x00000000000B0000-0x00000000004BA000-memory.dmp

Filesize
4.0MB

Download
memory/1748-96-0x00000000000B0000-0x00000000004BA000-memory.dmp

Filesize
4.0MB

Download
memory/1748-97-0x00000000000B0000-0x00000000004BA000-memory.dmp

Filesize
4.0MB

Download
memory/1748-98-0x00000000000B0000-0x00000000004BA000-memory.dmp

Filesize
4.0MB

Download
memory/1748-91-0x00000000000B0000-0x00000000004BA000-memory.dmp

Filesize
4.0MB

Download
memory/1748-100-0x00000000000B0000-0x00000000004BA000-memory.dmp

Filesize
4.0MB

Download
memory/1748-101-0x00000000000B0000-0x00000000004BA000-memory.dmp

Filesize
4.0MB

Download
memory/1748-102-0x00000000000B0000-0x00000000004BA000-memory.dmp

Filesize
4.0MB

Download
memory/1748-103-0x00000000000B0000-0x00000000004BA000-memory.dmp

Filesize
4.0MB

Download
memory/1748-104-0x00000000000B0000-0x00000000004BA000-memory.dmp

Filesize
4.0MB

Download
memory/1748-105-0x00000000000B0000-0x00000000004BA000-memory.dmp

Filesize
4.0MB

Download
memory/1748-106-0x00000000000B0000-0x00000000004BA000-memory.dmp

Filesize
4.0MB

Download