pandastealer | 453439bd8846f46fb97b11c9274739b90e8417e2d4d64b394e435160257ebf0d

Analysis

max time kernel
26s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-05-2023 12:38

Target

Photo route.exe
Size

1.6MB
MD5

ca6e7bc100769e0b2c57226254963480
SHA1

6a49e68fe527ea932bdf0cfb44d05dce505e57ad
SHA256

c595e256f31458c264160ac18e45e87d666b07f372b4559882be138cb2438e77
SHA512

4691ff07af4158000da6d24ac7018ece1f5c35609a20678ff57048a34b2d71ad5a1bdaec3898164ae9d31d81bbfe8e4f943f97b65ba78bdd2df4f2f48658d9fa
SSDEEP

24576:GnifyThjAjUO1V/sIPgF6DFvBzDnvJCkF8AnFhYWA:UifyThjKt7yUhtxCo8AgWA

Score

10^/10

Panda Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1160-54-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer
behavioral1/memory/1160-56-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer
behavioral1/memory/1160-57-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Suspicious use of SetThreadContext 1 IoCs

Processes:

Photo route.exe

description pid process target process

PID 920 set thread context of 1160 920 Photo route.exe InstallUtil.exe

description	pid	process	target process
PID 920 set thread context of 1160	920	Photo route.exe	InstallUtil.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

Photo route.exe

description	pid	process	target process
PID 920 wrote to memory of 1128	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1128	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1128	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1128	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1128	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1128	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1128	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1128	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1160	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1160	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1160	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1160	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1160	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1160	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1160	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1160	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1160	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1160	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1160	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1160	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1160	920	Photo route.exe	InstallUtil.exe
PID 920 wrote to memory of 1160	920	Photo route.exe	InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
PID:1128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
PID:1160

memory/1160-54-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1160-56-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1160-57-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download