pandastealer | 433acf938a74ef9ab5f556679a00963e2d67dc4921281192f6a4d9de485270ae

General

Target

0x000500000000073b-142.exe
Size

829KB
MD5

d7ecaa18abc939e94eb7b751e14c2b2d
SHA1

40b6d5eff1347182fcc22ff9a8982282432786bd
SHA256

433acf938a74ef9ab5f556679a00963e2d67dc4921281192f6a4d9de485270ae
SHA512

15c1cf8195f5d715af1958754fd06693472a649657484bf68198d41dc4931ef48c1c6d092d3bf2dbca68541933b5151fc9b13970d3930b7d2d868d0aaf046f2e
SSDEEP

24576:woJEKZ6IEGTMxapRl2PSwHTehy6BP+pXSh0vpB:wouKZ6iMqRl2PSwzehy6cpXSh0vpB

Score

10^/10

pandastealer spyware stealer

Malware Config

Extracted

Family

pandastealer

Version

1.11

C2

http://thisisgenk.temp.swtest.ru

Extracted

Family

pandastealer

Version

��H

C2

http://�H

Signatures

Panda Stealer payload 4 IoCs

resource	yara_rule
behavioral2/files/0x00280000000227b5-137.dat	family_pandastealer
behavioral2/files/0x00280000000227b5-141.dat	family_pandastealer
behavioral2/files/0x00280000000227b5-139.dat	family_pandastealer
behavioral2/memory/4024-152-0x0000000000400000-0x00000000004D7000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	0x000500000000073b-142.exe

Executes dropped EXE 2 IoCs

pid	Process
464	build.exe
3392	Kurome.Builder.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1328	3392	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
464	build.exe
464	build.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3392	Kurome.Builder.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 464	4024	0x000500000000073b-142.exe	87
PID 4024 wrote to memory of 464	4024	0x000500000000073b-142.exe	87
PID 4024 wrote to memory of 464	4024	0x000500000000073b-142.exe	87
PID 4024 wrote to memory of 3392	4024	0x000500000000073b-142.exe	88
PID 4024 wrote to memory of 3392	4024	0x000500000000073b-142.exe	88
PID 4024 wrote to memory of 3392	4024	0x000500000000073b-142.exe	88

C:\Users\Admin\AppData\Local\Temp\0x000500000000073b-142.exe
"C:\Users\Admin\AppData\Local\Temp\0x000500000000073b-142.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:464
- C:\Users\Admin\AppData\Local\Temp\Kurome.Builder.exe
  "C:\Users\Admin\AppData\Local\Temp\Kurome.Builder.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 1124
    3⤵
    - Program crash
    PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3392 -ip 3392
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Kurome.Builder.exe

Filesize
137KB

MD5
cf38a4bde3fe5456dcaf2b28d3bfb709

SHA1
711518af5fa13f921f3273935510627280730543

SHA256
c47b78e566425fc4165a83b2661313e41ee8d66241f7bea7723304a6a751595e

SHA512
3302b270ee028868ff877fa291c51e6c8b12478e7d873ddb9009bb68b55bd3a08a2756619b4415a76a5b4167abd7c7c3b9cc9f44c32a29225ff0fc2f94a1a4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kurome.Builder.exe

Filesize
137KB

MD5
cf38a4bde3fe5456dcaf2b28d3bfb709

SHA1
711518af5fa13f921f3273935510627280730543

SHA256
c47b78e566425fc4165a83b2661313e41ee8d66241f7bea7723304a6a751595e

SHA512
3302b270ee028868ff877fa291c51e6c8b12478e7d873ddb9009bb68b55bd3a08a2756619b4415a76a5b4167abd7c7c3b9cc9f44c32a29225ff0fc2f94a1a4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kurome.Builder.exe

Filesize
137KB

MD5
cf38a4bde3fe5456dcaf2b28d3bfb709

SHA1
711518af5fa13f921f3273935510627280730543

SHA256
c47b78e566425fc4165a83b2661313e41ee8d66241f7bea7723304a6a751595e

SHA512
3302b270ee028868ff877fa291c51e6c8b12478e7d873ddb9009bb68b55bd3a08a2756619b4415a76a5b4167abd7c7c3b9cc9f44c32a29225ff0fc2f94a1a4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
681KB

MD5
43aa2880830859585b3c6a15e915b8db

SHA1
6780b3f4d54a43b22223629e14c676addb3ac400

SHA256
378f2b1055dd7f1a150e0d86889b9bd3336225e38fc3c8cafb390ebf347ad46d

SHA512
6d35bd792aefe5c1b42caae9e50ed66967a74bb476985e17d3a5bc8d6b87111b7bb1af56cb216bff24f056da33bc14c4bddc81fabbfa07d569bab98ec679289d

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
681KB

MD5
43aa2880830859585b3c6a15e915b8db

SHA1
6780b3f4d54a43b22223629e14c676addb3ac400

SHA256
378f2b1055dd7f1a150e0d86889b9bd3336225e38fc3c8cafb390ebf347ad46d

SHA512
6d35bd792aefe5c1b42caae9e50ed66967a74bb476985e17d3a5bc8d6b87111b7bb1af56cb216bff24f056da33bc14c4bddc81fabbfa07d569bab98ec679289d

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
681KB

MD5
43aa2880830859585b3c6a15e915b8db

SHA1
6780b3f4d54a43b22223629e14c676addb3ac400

SHA256
378f2b1055dd7f1a150e0d86889b9bd3336225e38fc3c8cafb390ebf347ad46d

SHA512
6d35bd792aefe5c1b42caae9e50ed66967a74bb476985e17d3a5bc8d6b87111b7bb1af56cb216bff24f056da33bc14c4bddc81fabbfa07d569bab98ec679289d

Download Submit
memory/3392-172-0x0000000000B80000-0x0000000000BA8000-memory.dmp

Filesize
160KB

Download
memory/3392-175-0x0000000005D10000-0x00000000062B4000-memory.dmp

Filesize
5.6MB

Download
memory/3392-176-0x00000000055E0000-0x0000000005672000-memory.dmp

Filesize
584KB

Download
memory/3392-177-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/3392-180-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/3392-183-0x00000000055C0000-0x00000000055CA000-memory.dmp

Filesize
40KB

Download
memory/4024-152-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads