pandastealer | 8d8a582206a03b35fcca11de649ddb1a150d4791c43c793c6c3c599c8fcc3848

General

Target

VN[A43369197BA4B9840A742079ADE515B8] [2022-12-15T03_11_33.4145147] lang-English (United States)/Wall.exe
Size

1.9MB
MD5

d529e0869cea70bf8d3bdec1f16048d9
SHA1

10f0cb47a0494a02c6c6e81a68486918a12cecdd
SHA256

a160899b9e4c43ca91293e96180e3ed9ad7dc554cd3ca1a6f231ca478d7adfae
SHA512

43e135ea62b8815abd1e11d6447149f5b44b2a7dd780ddac62c5abe510aa14631c87a08257d1bdcb141bd236495ffc3a2781d74a86e7576c0389a62dd23fc5b5
SSDEEP

49152:ABRevIzpuUaDNJJE+dwRivJdxCxvAgoylf+H35jOa:apz4pDN8+KRUJgy+f+XD

Score

10^/10

Malware Config

Signatures

Panda Stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/2192-154-0x0000000000640000-0x0000000000A4A000-memory.dmp	family_pandastealer
behavioral2/memory/2192-155-0x0000000000640000-0x0000000000A4A000-memory.dmp	family_pandastealer
behavioral2/memory/2192-156-0x0000000000640000-0x0000000000A4A000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation	Wall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation	work.exe

Executes dropped EXE 2 IoCs

pid	Process
3884	work.exe
2192	efthsf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2192	efthsf.exe
2192	efthsf.exe
2192	efthsf.exe
2192	efthsf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2192	efthsf.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 4388	2140	Wall.exe	85
PID 2140 wrote to memory of 4388	2140	Wall.exe	85
PID 2140 wrote to memory of 4388	2140	Wall.exe	85
PID 4388 wrote to memory of 3884	4388	cmd.exe	88
PID 4388 wrote to memory of 3884	4388	cmd.exe	88
PID 4388 wrote to memory of 3884	4388	cmd.exe	88
PID 3884 wrote to memory of 2192	3884	work.exe	89
PID 3884 wrote to memory of 2192	3884	work.exe	89
PID 3884 wrote to memory of 2192	3884	work.exe	89

C:\Users\Admin\AppData\Local\Temp\VN[A43369197BA4B9840A742079ADE515B8] [2022-12-15T03_11_33.4145147] lang-English (United States)\Wall.exe
"C:\Users\Admin\AppData\Local\Temp\VN[A43369197BA4B9840A742079ADE515B8] [2022-12-15T03_11_33.4145147] lang-English (United States)\Wall.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\efthsf.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\efthsf.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetWindowsHookEx
      PID:2192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
1.7MB

MD5
51a361bef59e8460f51890dcf0cc4db5

SHA1
474593ed74808e4249b12e97e35cb3d386ec9b71

SHA256
b6dbf8daa3bafea4f7ccd74921525b8e4a3b4993ef1049e6dc65c733e3a1ed9f

SHA512
f56c93e2f7edc4bb6874c98904877f67d75a2b64fe8bd3483905cfb5efc4cb3d0316a66feff34d3c1a6f82b1ca9d513950da42c44585f03c35db0dcf6c5be201

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
1.7MB

MD5
51a361bef59e8460f51890dcf0cc4db5

SHA1
474593ed74808e4249b12e97e35cb3d386ec9b71

SHA256
b6dbf8daa3bafea4f7ccd74921525b8e4a3b4993ef1049e6dc65c733e3a1ed9f

SHA512
f56c93e2f7edc4bb6874c98904877f67d75a2b64fe8bd3483905cfb5efc4cb3d0316a66feff34d3c1a6f82b1ca9d513950da42c44585f03c35db0dcf6c5be201

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\efthsf.exe

Filesize
1.4MB

MD5
0b56d226dfd3e5771f0920e05940d408

SHA1
cb9c6a16a2aeddcc7864b36ee1cac1fd51f7b583

SHA256
b7c6baa369eaa5298ff5e41bf2bc61704cbf1311eb92236ea9b8d84493487f65

SHA512
cef9f93b4aa405486a555e5c7ec0b956ab46b21208c573f8b2c8bd86d3f106ea7f9f308eb7f9a63de9760bf8fd5b24740f3ec3229c60e02059dfa8dca2e9af2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\efthsf.exe

Filesize
1.4MB

MD5
0b56d226dfd3e5771f0920e05940d408

SHA1
cb9c6a16a2aeddcc7864b36ee1cac1fd51f7b583

SHA256
b7c6baa369eaa5298ff5e41bf2bc61704cbf1311eb92236ea9b8d84493487f65

SHA512
cef9f93b4aa405486a555e5c7ec0b956ab46b21208c573f8b2c8bd86d3f106ea7f9f308eb7f9a63de9760bf8fd5b24740f3ec3229c60e02059dfa8dca2e9af2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\efthsf.exe

Filesize
1.4MB

MD5
0b56d226dfd3e5771f0920e05940d408

SHA1
cb9c6a16a2aeddcc7864b36ee1cac1fd51f7b583

SHA256
b7c6baa369eaa5298ff5e41bf2bc61704cbf1311eb92236ea9b8d84493487f65

SHA512
cef9f93b4aa405486a555e5c7ec0b956ab46b21208c573f8b2c8bd86d3f106ea7f9f308eb7f9a63de9760bf8fd5b24740f3ec3229c60e02059dfa8dca2e9af2d

Download Submit
memory/2192-153-0x0000000000640000-0x0000000000A4A000-memory.dmp

Filesize
4.0MB

Download
memory/2192-152-0x0000000000640000-0x0000000000A4A000-memory.dmp

Filesize
4.0MB

Download
memory/2192-154-0x0000000000640000-0x0000000000A4A000-memory.dmp

Filesize
4.0MB

Download
memory/2192-155-0x0000000000640000-0x0000000000A4A000-memory.dmp

Filesize
4.0MB

Download
memory/2192-156-0x0000000000640000-0x0000000000A4A000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing