pandastealer | 05c43a95ca5fc29b575a8417237b5868abc223c60ade4cd2487aef16814b48f1

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20-12-2023 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edad239f7872ba1c6aa40e9f20894129.exe
Size

1.7MB
MD5

edad239f7872ba1c6aa40e9f20894129
SHA1

9edb6487a5bbb07aa337afd2c2764913813c9814
SHA256

05c43a95ca5fc29b575a8417237b5868abc223c60ade4cd2487aef16814b48f1
SHA512

6ebc98f76003897d359756194766ed5b7a4a3ad2bc02e07826449302495fd8a8b365fe59fcf68d5202dd42d828c3c077f988f9a1a2b4eb501ba6a4381f431490
SSDEEP

24576:/mv94J5AWlk5JiFJlYGCrvLAOP6/CFa/gTQ/3zzqIrSJuic6jg/nYNB+FnOgtiNS:yW3AU+SKrvLAOPZaDGtJVkYnGOgEjhu

Score

10^/10

pandastealer spyware stealer

Malware Config

Extracted

Family

pandastealer

Version

1.11

http://a0588174.xsph.ru

Signatures

Panda Stealer payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000e0000000122f6-19.dat	family_pandastealer
behavioral1/files/0x000e0000000122f6-13.dat	family_pandastealer
behavioral1/files/0x000e0000000122f6-12.dat	family_pandastealer
behavioral1/files/0x000e0000000122f6-10.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Executes dropped EXE 3 IoCs

pid	Process
2044	build.exe
2904	build1.exe
2704	Splash Console Bootstrapper.exe

Loads dropped DLL 4 IoCs

pid	Process
1064	edad239f7872ba1c6aa40e9f20894129.exe
1064	edad239f7872ba1c6aa40e9f20894129.exe
1064	edad239f7872ba1c6aa40e9f20894129.exe
1064	edad239f7872ba1c6aa40e9f20894129.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	freegeoip.app
7	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	build.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	build.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2904	build1.exe
2044	build.exe
2044	build.exe
2044	build.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	Splash Console Bootstrapper.exe
Token: SeDebugPrivilege	2044	build.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2044	1064	edad239f7872ba1c6aa40e9f20894129.exe	28
PID 1064 wrote to memory of 2044	1064	edad239f7872ba1c6aa40e9f20894129.exe	28
PID 1064 wrote to memory of 2044	1064	edad239f7872ba1c6aa40e9f20894129.exe	28
PID 1064 wrote to memory of 2044	1064	edad239f7872ba1c6aa40e9f20894129.exe	28
PID 1064 wrote to memory of 2904	1064	edad239f7872ba1c6aa40e9f20894129.exe	29
PID 1064 wrote to memory of 2904	1064	edad239f7872ba1c6aa40e9f20894129.exe	29
PID 1064 wrote to memory of 2904	1064	edad239f7872ba1c6aa40e9f20894129.exe	29
PID 1064 wrote to memory of 2904	1064	edad239f7872ba1c6aa40e9f20894129.exe	29
PID 1064 wrote to memory of 2704	1064	edad239f7872ba1c6aa40e9f20894129.exe	30
PID 1064 wrote to memory of 2704	1064	edad239f7872ba1c6aa40e9f20894129.exe	30
PID 1064 wrote to memory of 2704	1064	edad239f7872ba1c6aa40e9f20894129.exe	30
PID 1064 wrote to memory of 2704	1064	edad239f7872ba1c6aa40e9f20894129.exe	30

C:\Users\Admin\AppData\Local\Temp\edad239f7872ba1c6aa40e9f20894129.exe
"C:\Users\Admin\AppData\Local\Temp\edad239f7872ba1c6aa40e9f20894129.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\build1.exe
  "C:\Users\Admin\AppData\Local\Temp\build1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\Splash Console Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Splash Console Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Splash Console Bootstrapper.exe

Filesize
116KB

MD5
e54c16c7f9161c84ac1bece6f1ad841c

SHA1
d5bccde38db577ae6a462575c13a266b0ed74e81

SHA256
b031dc82900b4f4106f996871a75979e6467a71a8c3ca3605979924e6e981a71

SHA512
f0ec2a4306e2275445e7a68cbf6234723ca37e77ddfadb5c71d5dc432f2fd4b43c1ff33fd4f2d8c7a1288cc949f42e4d5256aafc79be8dc68e107571b5d11874

Download Submit
C:\Users\Admin\AppData\Local\Temp\Splash Console Bootstrapper.exe

Filesize
198KB

MD5
d1e7f7a10407ef25d0a9b413fc7afdfd

SHA1
58436c7af984bb5bc3182288562fa1faba98a767

SHA256
671d0e63df5a0d53ffa9f55002704afcc623a1c1646a766b0de16903046f7f58

SHA512
5176d41534a29274a24d2d6ea2b78c796ab076d6990852fdbb5d08f85cd878767d1afd1a9f44237eed49a796ef42bbb3e5b92833c26c8dc4c40574d8e6dcf79d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Splash Console Bootstrapper.exe

Filesize
175KB

MD5
4dea004a4c077788f0166e2ff2fe7c08

SHA1
fdaca95c88240a8c743baf566477e914e0ef176d

SHA256
cb24c338030f4b4db78ab6c65f3dc37cfeef60312259d2fe7f0f2ec789557e7b

SHA512
4a44f708e1cea993d6d570cabd5e5d2c72cd9f9f3e504e05276c0b4c1a708c22a8e4ca5a0d91aaa04e65e1ac6cc86d8679e6ff84aaa527651e867d3a9fd167db

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
346KB

MD5
70891987eed6b5fdd4ea95fea769bc83

SHA1
90c9168da3832b1a4c3624ae7047034d306124e1

SHA256
2cb5e0001144e7f4b44932c1eef414ec93ff3ffabee52b888b82c1a9666d6624

SHA512
d459febb692129ca4314827c3a463db092508beba531f917bb78d8904d9895df468dd6a49330b4ad7dfdd12fb836c55f2d3777f3644f43429c48acdf345824d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
424KB

MD5
e72b7af5a93a187ec7e0224dbe7b891e

SHA1
5ba0a5d51846c081b22af58d7df0e29f61079791

SHA256
796ffa16c1489cc3611081aa70235b20139c5b4fa1e520735ce5c7a4ffee47f8

SHA512
e74ba363f11becc5bb53c0ee41c0c784c07250b864b3107c1b6b88b497b15a82248a6eac60a0ea39058454e62b827d82cd5cf989aa164a103ddb1247f91718a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\build1.exe

Filesize
158KB

MD5
a2304f3ade093dd6d9d426721b768a26

SHA1
838dfe658436db6e975c26acd62134360300021b

SHA256
c4a0093fea8c1947a5a1184236c6be2771bc2231222dcc06694aa3d2918b3b69

SHA512
db131a02aaa62bae41de8543478941566300ca22565089d48c1cee0fa534a05bda2338da6831cc56c5a9019cfb513d0c5d98e3149f948dd4d32c2f1507bcafec

Download Submit
C:\Users\Admin\AppData\Local\Temp\build1.exe

Filesize
115KB

MD5
dad1b1ba9b998cf9c62379bf52a249ac

SHA1
994a608fc924ecb9bcc23530761ad0df3be4504b

SHA256
9c951a59a55a8d0cfd78bb5f856b7079f1d67d38c2a9e9665d5bbf8932ca50b5

SHA512
f726e334338ef6d7fb30d8a9c0576902ad0525fd037b2d5d0682a42702bb7b854c7eb2b7e69aeb9027d0d24bf0ffcbae944cc75fce5d4dd52add0f86514e4857

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5479.tmp.dat

Filesize
92KB

MD5
be0d10b59d5cdafb1aed2b32b3cd6620

SHA1
9619e616c5391c6d38e0c5f58f023a33ef7ad231

SHA256
b10adeb400742d7a304eb772a4089fa1c3cd8ca73ad23268b5d283ed237fea64

SHA512
a6d0af9cf0a22f987205a458e234b82fbc2760720c80cc95ca08babee21b7480fc5873d335a42f4d9b25754d841057514db50b41995cb1d2a7f832e0e6ea0a11

Download Submit
C:\Users\Admin\AppData\Local\exostub\Screenshot.png

Filesize
94KB

MD5
fa0052bbf5a565c7fce58493d3d7b7f1

SHA1
b77bd9eaeb0040f8a93e3bde423f8092fdc2b0c5

SHA256
3eaa0b74ea52daaedf9dc7c9401ec0f980a8d3ea4c4f74274f77de8e8dc3c5cc

SHA512
794875f72a69be8f5324d150f54a0f4fced73a92e940b4e4f1de1a1040acdd62626aab6220a9bc8c7e37b91a5aede868d68efa062e295c213fd0e48989f1d90e

Download Submit
\Users\Admin\AppData\Local\Temp\Splash Console Bootstrapper.exe

Filesize
158KB

MD5
460ee77707c8d62b2f5f4f2c2afd5ea6

SHA1
1f70e8f45da9af55de00a1d53818e1602c8d62ab

SHA256
4b78aaa457f977b0c805349298ce061436e77509792ccf1f30d373b67c610ff2

SHA512
7d26abb31cc243027811721e17f15147e56abf37190750823545ef19c9a0b01a63e7aa70f34da3134656cb84fc7433ba8d46ec7698c971ca74f2a71fcc280fa8

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe

Filesize
645KB

MD5
54c53ecc2efa8153da6aa95f8b018255

SHA1
ab27f07961cc2121c977c7c1379da21e097d378d

SHA256
c7e746527b556d1891c69d3be52426af27e5ff5174967d2a0a0054f3ced5e59f

SHA512
edb2402abe5dd9076c6dbc241dd3246f40e147577f0fe3c85489b70722e6a07255f31c952b0e4b779f588b750c3c1693b7e733ede24ee4e0553f9d93069e9615

Download Submit
\Users\Admin\AppData\Local\Temp\build1.exe

Filesize
138KB

MD5
e14ae8466eda92ade84e796b6451d552

SHA1
e10a0472b62e3563e520865b2f8d62cde7a7bdc2

SHA256
f76ffbae9632e31adc2d1e46fd451e411126b65533860ff9fee8548f5ca6e4b1

SHA512
1d9ff1d645b93b35ddbe24d3fa19ff7b8626066a885a6fac73ffc9373738dc47709c976b18fde69e79d998cee2352c807884f2a1ba34245e642696399748e7f6

Download Submit
\Users\Admin\AppData\Local\Temp\build1.exe

Filesize
146KB

MD5
7a1343bc87a45a364d861c8326fc6df3

SHA1
897a50857a54fafcfee4bf6d1cd4695dda8115fa

SHA256
8515d7f98bea833e84ccd2d5947427837e46570c34329e13d4fd04f57118a3cf

SHA512
1129b012c324d5999716979568edf1b45c587cbe771457b6f9e032a332cd8dfcb50f949eea8bcc69e513ccaec13994361b9fa75d8af325867a2c531b11bae638

Download Submit
memory/2044-40-0x000007FEF5500000-0x000007FEF5EEC000-memory.dmp

Filesize
9.9MB

Download
memory/2044-41-0x0000000000B00000-0x0000000000B86000-memory.dmp

Filesize
536KB

Download
memory/2044-43-0x000000001AF50000-0x000000001AFD0000-memory.dmp

Filesize
512KB

Download
memory/2044-99-0x000000001A7D0000-0x000000001A848000-memory.dmp

Filesize
480KB

Download
memory/2044-36-0x0000000000C60000-0x0000000000D08000-memory.dmp

Filesize
672KB

Download
memory/2044-112-0x000007FEF5500000-0x000007FEF5EEC000-memory.dmp

Filesize
9.9MB

Download
memory/2704-42-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2704-39-0x0000000001180000-0x0000000001252000-memory.dmp

Filesize
840KB

Download
memory/2704-113-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download