pandastealer | 1deff3018628c28bea0312b3e126a2138a934edec119134e3a6cca7bb0aefa5e

General

Target

000165.exe
Size

1.9MB
MD5

ba7115a88a1f3f2abcbcbb40e9093505
SHA1

57b57c3b158055925979b7154326a1b8ecda03f4
SHA256

1deff3018628c28bea0312b3e126a2138a934edec119134e3a6cca7bb0aefa5e
SHA512

3d2d9cf68dea8bb4e5234b396f6e9e67e79cbd196ce640cb936a8a415c9b37cae9e9989f4b272b295f47fd65a32d92423e63abe30045bc12885db0ba249e4330
SSDEEP

49152:ABRAIJEM7Y4c8qOwlYb6pJL89eHWQQPlZlJ7:aLh73EmbKp89KhClZ/

Score

10^/10

Malware Config

Signatures

Panda Stealer payload 15 IoCs

resource	yara_rule
behavioral2/memory/856-153-0x0000000000250000-0x000000000065A000-memory.dmp	family_pandastealer
behavioral2/memory/856-154-0x0000000000250000-0x000000000065A000-memory.dmp	family_pandastealer
behavioral2/memory/856-155-0x0000000000250000-0x000000000065A000-memory.dmp	family_pandastealer
behavioral2/memory/856-156-0x0000000000250000-0x000000000065A000-memory.dmp	family_pandastealer
behavioral2/memory/856-157-0x0000000000250000-0x000000000065A000-memory.dmp	family_pandastealer
behavioral2/memory/856-158-0x0000000000250000-0x000000000065A000-memory.dmp	family_pandastealer
behavioral2/memory/856-159-0x0000000000250000-0x000000000065A000-memory.dmp	family_pandastealer
behavioral2/memory/856-160-0x0000000000250000-0x000000000065A000-memory.dmp	family_pandastealer
behavioral2/memory/856-161-0x0000000000250000-0x000000000065A000-memory.dmp	family_pandastealer
behavioral2/memory/856-162-0x0000000000250000-0x000000000065A000-memory.dmp	family_pandastealer
behavioral2/memory/856-163-0x0000000000250000-0x000000000065A000-memory.dmp	family_pandastealer
behavioral2/memory/856-164-0x0000000000250000-0x000000000065A000-memory.dmp	family_pandastealer
behavioral2/memory/856-165-0x0000000000250000-0x000000000065A000-memory.dmp	family_pandastealer
behavioral2/memory/856-166-0x0000000000250000-0x000000000065A000-memory.dmp	family_pandastealer
behavioral2/memory/856-167-0x0000000000250000-0x000000000065A000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	000165.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	work.exe

Executes dropped EXE 2 IoCs

pid	Process
412	work.exe
856	dwarg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

pid	Process
856	dwarg.exe
856	dwarg.exe
856	dwarg.exe
856	dwarg.exe
856	dwarg.exe
856	dwarg.exe
856	dwarg.exe
856	dwarg.exe
856	dwarg.exe
856	dwarg.exe
856	dwarg.exe
856	dwarg.exe
856	dwarg.exe
856	dwarg.exe
856	dwarg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
856	dwarg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2240	2956	000165.exe	84
PID 2956 wrote to memory of 2240	2956	000165.exe	84
PID 2956 wrote to memory of 2240	2956	000165.exe	84
PID 2240 wrote to memory of 412	2240	cmd.exe	88
PID 2240 wrote to memory of 412	2240	cmd.exe	88
PID 2240 wrote to memory of 412	2240	cmd.exe	88
PID 412 wrote to memory of 856	412	work.exe	89
PID 412 wrote to memory of 856	412	work.exe	89
PID 412 wrote to memory of 856	412	work.exe	89

C:\Users\Admin\AppData\Local\Temp\000165.exe
"C:\Users\Admin\AppData\Local\Temp\000165.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwarg.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwarg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetWindowsHookEx
      PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
1.7MB

MD5
16ae950fa8755ba3792c3c2a9acd1f01

SHA1
a9c6563a0ed440cda17f3c7db420cd27b3fcab5b

SHA256
b5166ba06d9d93c73efeaadde520001bbe3cc6fad56b9c1cdfb1303609cafb6f

SHA512
3e032d82e07e1fca62ef6ee6292295761ccd2066f44c2e43e73237e4c3492ecdb919e277f5d8e84d0d25fd7bbe25e0af20bcb4b89f0bc588b08a704fbefec8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
1.7MB

MD5
16ae950fa8755ba3792c3c2a9acd1f01

SHA1
a9c6563a0ed440cda17f3c7db420cd27b3fcab5b

SHA256
b5166ba06d9d93c73efeaadde520001bbe3cc6fad56b9c1cdfb1303609cafb6f

SHA512
3e032d82e07e1fca62ef6ee6292295761ccd2066f44c2e43e73237e4c3492ecdb919e277f5d8e84d0d25fd7bbe25e0af20bcb4b89f0bc588b08a704fbefec8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwarg.exe

Filesize
1.4MB

MD5
18f763a122078328f748e6865f813967

SHA1
839c148beb6a144330d3690a1831cee004a64b2b

SHA256
e438b9bde4c5d29c463a697ebcf0480bd69fe775c11ebe38628262e6e0520b9d

SHA512
fdb9728af46f057dfc181471ce8e586f3afa0f3e85ed7512f06f3982e3789399b377aee3e23dfc0cae5f3e82b13350f5ae024231540d5b26ff0b25ae4ca52fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwarg.exe

Filesize
1.4MB

MD5
18f763a122078328f748e6865f813967

SHA1
839c148beb6a144330d3690a1831cee004a64b2b

SHA256
e438b9bde4c5d29c463a697ebcf0480bd69fe775c11ebe38628262e6e0520b9d

SHA512
fdb9728af46f057dfc181471ce8e586f3afa0f3e85ed7512f06f3982e3789399b377aee3e23dfc0cae5f3e82b13350f5ae024231540d5b26ff0b25ae4ca52fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwarg.exe

Filesize
1.4MB

MD5
18f763a122078328f748e6865f813967

SHA1
839c148beb6a144330d3690a1831cee004a64b2b

SHA256
e438b9bde4c5d29c463a697ebcf0480bd69fe775c11ebe38628262e6e0520b9d

SHA512
fdb9728af46f057dfc181471ce8e586f3afa0f3e85ed7512f06f3982e3789399b377aee3e23dfc0cae5f3e82b13350f5ae024231540d5b26ff0b25ae4ca52fbe

Download Submit
memory/856-152-0x0000000000250000-0x000000000065A000-memory.dmp

Filesize
4.0MB

Download
memory/856-153-0x0000000000250000-0x000000000065A000-memory.dmp

Filesize
4.0MB

Download
memory/856-154-0x0000000000250000-0x000000000065A000-memory.dmp

Filesize
4.0MB

Download
memory/856-155-0x0000000000250000-0x000000000065A000-memory.dmp

Filesize
4.0MB

Download
memory/856-156-0x0000000000250000-0x000000000065A000-memory.dmp

Filesize
4.0MB

Download
memory/856-157-0x0000000000250000-0x000000000065A000-memory.dmp

Filesize
4.0MB

Download
memory/856-158-0x0000000000250000-0x000000000065A000-memory.dmp

Filesize
4.0MB

Download
memory/856-159-0x0000000000250000-0x000000000065A000-memory.dmp

Filesize
4.0MB

Download
memory/856-160-0x0000000000250000-0x000000000065A000-memory.dmp

Filesize
4.0MB

Download
memory/856-161-0x0000000000250000-0x000000000065A000-memory.dmp

Filesize
4.0MB

Download
memory/856-162-0x0000000000250000-0x000000000065A000-memory.dmp

Filesize
4.0MB

Download
memory/856-163-0x0000000000250000-0x000000000065A000-memory.dmp

Filesize
4.0MB

Download
memory/856-164-0x0000000000250000-0x000000000065A000-memory.dmp

Filesize
4.0MB

Download
memory/856-165-0x0000000000250000-0x000000000065A000-memory.dmp

Filesize
4.0MB

Download
memory/856-166-0x0000000000250000-0x000000000065A000-memory.dmp

Filesize
4.0MB

Download
memory/856-167-0x0000000000250000-0x000000000065A000-memory.dmp

Filesize
4.0MB

Download

Resubmissions

Analysis

Sharing