pandastealer | 06b489080a5addb9ed1163500a9950649cc0830a9e7dc88bfa5ac0ecaf34c912

Analysis

max time kernel
300s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2023 18:58

Target

Setup app.exe
Size

8.5MB
MD5

3d1b6eebe4f703befa68842a2d0e9cb4
SHA1

df688e6cf11742bf8f6a65dee4bd52758f33660d
SHA256

ef9c84f01fb46f8ffc7829abc2b0de296fc2dc8ff93eee949c5f2171092b70da
SHA512

8d4844ee5de6e01336f9a67e64efd10ee305173a54dbf945a41fc5e0d71e6195b70127c9345069cdd816f07aa78021da2bfa3049f15831b07888844e50f4fd9c
SSDEEP

196608:35OllhOTapKB1erCbptqBYHvTYTVHJack+YlGlSRRbCvY:35WlhOTapG1erqpICHvTMacJYlTFP

Score

10^/10

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral2/memory/1536-387-0x0000000000400000-0x00000000004A3000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1744	Service64.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 1536	1744	Service64.exe	99

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
880	javaw.exe
880	javaw.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 880	3872	Setup app.exe	82
PID 3872 wrote to memory of 880	3872	Setup app.exe	82
PID 3872 wrote to memory of 880	3872	Setup app.exe	82
PID 880 wrote to memory of 2456	880	javaw.exe	90
PID 880 wrote to memory of 2456	880	javaw.exe	90
PID 880 wrote to memory of 2456	880	javaw.exe	90
PID 1600 wrote to memory of 1744	1600	explorer.exe	92
PID 1600 wrote to memory of 1744	1600	explorer.exe	92
PID 1600 wrote to memory of 1744	1600	explorer.exe	92
PID 880 wrote to memory of 3756	880	javaw.exe	95
PID 880 wrote to memory of 3756	880	javaw.exe	95
PID 880 wrote to memory of 3756	880	javaw.exe	95
PID 3756 wrote to memory of 2284	3756	cmd.exe	97
PID 3756 wrote to memory of 2284	3756	cmd.exe	97
PID 3756 wrote to memory of 2284	3756	cmd.exe	97
PID 3756 wrote to memory of 2204	3756	cmd.exe	98
PID 3756 wrote to memory of 2204	3756	cmd.exe	98
PID 1744 wrote to memory of 1536	1744	Service64.exe	99
PID 1744 wrote to memory of 1536	1744	Service64.exe	99
PID 1744 wrote to memory of 1536	1744	Service64.exe	99
PID 1744 wrote to memory of 1536	1744	Service64.exe	99
PID 1744 wrote to memory of 1536	1744	Service64.exe	99
PID 1744 wrote to memory of 1536	1744	Service64.exe	99
PID 1744 wrote to memory of 1536	1744	Service64.exe	99
PID 1744 wrote to memory of 1536	1744	Service64.exe	99
PID 1744 wrote to memory of 1536	1744	Service64.exe	99
PID 1744 wrote to memory of 1536	1744	Service64.exe	99

C:\Users\Admin\AppData\Local\Temp\Setup app.exe
"C:\Users\Admin\AppData\Local\Temp\Setup app.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
  "C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\Setup app.exe" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Users\Admin\AppData\Local\Temp\Service64.exe
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Windows\SysWOW64\chcp.com
      C:\Windows\System32\chcp.com 65001
      4⤵
      PID:2284
  - - C:\Windows\system32\reg.exe
      C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
      4⤵
      PID:2204

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\Service64.exe
  "C:\Users\Admin\AppData\Local\Temp\Service64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:1536

C:\Users\Admin\AppData\Local\Temp\Service64.exe

Filesize
1.5MB

MD5
c845efe0b7345f8a3bcfa5f7a5681b9b

SHA1
f603aa58a11dc002161180b401e998ee7c2794ff

SHA256
cb058d57e98615b394f8cdf007049b606781570cf7647b32cb7d100c651146d4

SHA512
ac2478188aa2b57a147a38a0c344c9e3112b89a85d92750de61c267668ee9e6e3e208572456939c70559087d7fb32a8a199471f7a2a0d599b2cd83b9dd7f57dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service64.exe

Filesize
1.5MB

MD5
c845efe0b7345f8a3bcfa5f7a5681b9b

SHA1
f603aa58a11dc002161180b401e998ee7c2794ff

SHA256
cb058d57e98615b394f8cdf007049b606781570cf7647b32cb7d100c651146d4

SHA512
ac2478188aa2b57a147a38a0c344c9e3112b89a85d92750de61c267668ee9e6e3e208572456939c70559087d7fb32a8a199471f7a2a0d599b2cd83b9dd7f57dc

Download Submit
memory/880-163-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/880-165-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/880-235-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/880-236-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/1536-387-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3872-133-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download