pandastealer | 453439bd8846f46fb97b11c9274739b90e8417e2d4d64b394e435160257ebf0d

Analysis

max time kernel
111s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2023 12:38

Target

Photo route.exe
Size

1.6MB
MD5

ca6e7bc100769e0b2c57226254963480
SHA1

6a49e68fe527ea932bdf0cfb44d05dce505e57ad
SHA256

c595e256f31458c264160ac18e45e87d666b07f372b4559882be138cb2438e77
SHA512

4691ff07af4158000da6d24ac7018ece1f5c35609a20678ff57048a34b2d71ad5a1bdaec3898164ae9d31d81bbfe8e4f943f97b65ba78bdd2df4f2f48658d9fa
SSDEEP

24576:GnifyThjAjUO1V/sIPgF6DFvBzDnvJCkF8AnFhYWA:UifyThjKt7yUhtxCo8AgWA

Score

10^/10

Panda Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1236-133-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer
behavioral2/memory/1236-134-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer
behavioral2/memory/1236-135-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer
behavioral2/memory/1236-136-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Suspicious use of SetThreadContext 1 IoCs

Processes:

Photo route.exe

description pid process target process

PID 4644 set thread context of 1236 4644 Photo route.exe InstallUtil.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2784 4644 WerFault.exe Photo route.exe
2408 4644 WerFault.exe Photo route.exe

description	pid	process	target process
PID 4644 set thread context of 1236	4644	Photo route.exe	InstallUtil.exe

pid	pid_target	process	target process
2784	4644	WerFault.exe	Photo route.exe
2408	4644	WerFault.exe	Photo route.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Photo route.exe

description	pid	process	target process
PID 4644 wrote to memory of 1236	4644	Photo route.exe	InstallUtil.exe
PID 4644 wrote to memory of 1236	4644	Photo route.exe	InstallUtil.exe
PID 4644 wrote to memory of 1236	4644	Photo route.exe	InstallUtil.exe
PID 4644 wrote to memory of 1236	4644	Photo route.exe	InstallUtil.exe
PID 4644 wrote to memory of 1236	4644	Photo route.exe	InstallUtil.exe
PID 4644 wrote to memory of 1236	4644	Photo route.exe	InstallUtil.exe
PID 4644 wrote to memory of 1236	4644	Photo route.exe	InstallUtil.exe
PID 4644 wrote to memory of 1236	4644	Photo route.exe	InstallUtil.exe
PID 4644 wrote to memory of 1236	4644	Photo route.exe	InstallUtil.exe
PID 4644 wrote to memory of 1236	4644	Photo route.exe	InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 292
2⤵
- Program crash
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 328
2⤵
- Program crash
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4644 -ip 4644
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4644 -ip 4644
1⤵
PID:2692

memory/1236-133-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1236-134-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1236-135-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1236-136-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download