pandastealer | 0e43398f20329effd2c9166408830520f7a65bb97fe731e7adf9cbc23321550b

General

Target

73bdcc9555fc1bad7922968d96da189a.exe
Size

5.8MB
MD5

73bdcc9555fc1bad7922968d96da189a
SHA1

b442030efe8dae7c3930078d36e894f64ac1dce8
SHA256

0e43398f20329effd2c9166408830520f7a65bb97fe731e7adf9cbc23321550b
SHA512

2afe42feafc4b8c5b9280f8928201704f9532b8a3730da449a8d9522100a308a8608fd87da741e48f748a4c802de7793f8e0567e94276bd9eeb088dfdc6fd5d4
SSDEEP

98304:JsRH1pBhhBQSmT60Gn2lxmhVXpbB8NWjEecyE4+thl/cgJprckjjlfcXVK:uNhaSmT60GnTh15B8G5cW+fZcwjn

Score

10^/10

pandastealer spyware stealer vmprotect

Malware Config

Extracted

Family

pandastealer

Version

1.11

C2

http://f0577083.xsph.ru

Signatures

Panda Stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/3008-17-0x0000000000EF0000-0x0000000001893000-memory.dmp	family_pandastealer
behavioral1/memory/3008-29-0x0000000000EF0000-0x0000000001893000-memory.dmp	family_pandastealer
behavioral1/memory/3008-49-0x0000000000EF0000-0x0000000001893000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Executes dropped EXE 1 IoCs

pid	Process
3008	build.vmp.exe

Loads dropped DLL 4 IoCs

pid	Process
1032	73bdcc9555fc1bad7922968d96da189a.exe
1032	73bdcc9555fc1bad7922968d96da189a.exe
1032	73bdcc9555fc1bad7922968d96da189a.exe
1032	73bdcc9555fc1bad7922968d96da189a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000a00000001225c-3.dat	vmprotect
behavioral1/files/0x000a00000001225c-6.dat	vmprotect
behavioral1/files/0x000a00000001225c-5.dat	vmprotect
behavioral1/files/0x000a00000001225c-13.dat	vmprotect
behavioral1/files/0x000a00000001225c-10.dat	vmprotect
behavioral1/files/0x000a00000001225c-15.dat	vmprotect
behavioral1/files/0x000a00000001225c-16.dat	vmprotect
behavioral1/memory/3008-17-0x0000000000EF0000-0x0000000001893000-memory.dmp	vmprotect
behavioral1/memory/3008-29-0x0000000000EF0000-0x0000000001893000-memory.dmp	vmprotect
behavioral1/memory/3008-49-0x0000000000EF0000-0x0000000001893000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3008	build.vmp.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\%teamp%\__tmp_rar_sfx_access_check_259429303	73bdcc9555fc1bad7922968d96da189a.exe
File created	C:\Program Files (x86)\%teamp%\build.vmp.exe	73bdcc9555fc1bad7922968d96da189a.exe
File opened for modification	C:\Program Files (x86)\%teamp%\build.vmp.exe	73bdcc9555fc1bad7922968d96da189a.exe
File opened for modification	C:\Program Files (x86)\%teamp%	73bdcc9555fc1bad7922968d96da189a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3008	build.vmp.exe
3008	build.vmp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 3008	1032	73bdcc9555fc1bad7922968d96da189a.exe	28
PID 1032 wrote to memory of 3008	1032	73bdcc9555fc1bad7922968d96da189a.exe	28
PID 1032 wrote to memory of 3008	1032	73bdcc9555fc1bad7922968d96da189a.exe	28
PID 1032 wrote to memory of 3008	1032	73bdcc9555fc1bad7922968d96da189a.exe	28

C:\Users\Admin\AppData\Local\Temp\73bdcc9555fc1bad7922968d96da189a.exe
"C:\Users\Admin\AppData\Local\Temp\73bdcc9555fc1bad7922968d96da189a.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Program Files (x86)\%teamp%\build.vmp.exe
  "C:\Program Files (x86)\%teamp%\build.vmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\%teamp%\build.vmp.exe

Filesize
1.8MB

MD5
7f914efa912472c88f7cde6e5cd39f8e

SHA1
e8b29d42136f61f036e1ceebff8bb604179ef4dc

SHA256
f6712d9a6cc86be35fd3cbe684f58fc85744fa1c53bd2e1977cf67ba69475397

SHA512
b0122afc186f5a02382d26bcd849d8a7c41cb722ebc1d0c67be5dcd482885f3d1b331c619f32505d30bc28fb00611603a6a0991c74f2f02d451882daa555e8be

Download Submit
C:\Program Files (x86)\%teamp%\build.vmp.exe

Filesize
1.9MB

MD5
faef19a6cecfafdd23c7e5768f7f997f

SHA1
8487a6e503f9c26c344a99dd6aa875f54cbe1da1

SHA256
f39b939301c4fb3e6dd21853865aee486a971c4dbad36043117afa420f827d0d

SHA512
0e296d1b365941760d0188fdb60b101bbd1eea3188db77f2e3e12d271be3b926f8711e6e07a494b24f19b5efac55ebc3978a4fad33886feacdaab1c3cf373491

Download Submit
C:\Program Files (x86)\%teamp%\build.vmp.exe

Filesize
1.1MB

MD5
b2c5cf1b832d864b35a4102a980aaa0b

SHA1
00a3cbcdb31483e2d50e7242dba3687a43f1cda4

SHA256
a347e4e42df65690a3c05ce3f709b72a6e5271046c3dd30950af3a7cea9691d5

SHA512
6000d2ec12a7628e3628b49019e26df9805a530e1a4941d397649e6f42ccf0a88616574acff19ac40c1d44929bb6118f2cfa9dffa78349df845f541e3aed9d2f

Download Submit
\Program Files (x86)\%teamp%\build.vmp.exe

Filesize
704KB

MD5
c6ec6239a239b5c6a0e6f05d0b5c4b2d

SHA1
9f16e2f24c1e8bded5f38933286d00a7b5abd516

SHA256
70d8a6422d04949476732b7a0e7e0d5390b957b6840699f53c08e6b5dea0374a

SHA512
646022a5e212e8458764f9ff511276af5f9b5f94540460341f3cba827fedfbfce9dc0a9bb6f9e3e1118f1afff4079ceb7f79b49af0de77c065c382ba44cf243e

Download Submit
\Program Files (x86)\%teamp%\build.vmp.exe

Filesize
1.8MB

MD5
4ed54c596b96c98ddc02e01fabea08de

SHA1
f5e0b397bd60fcc29a86deb74bf15a1a8786da5d

SHA256
af01a248f554d8e5b2ab0432b3c7963a2ef10d69c771adfe220ff6cc9293a54e

SHA512
5f8a5f7f962d930bdba814182c97e8c3772c2f4d935aa56d7345eb5acc324b50965815d4a66e34804718771c116ca36635219c6a8b6525e76b0e98398de3be58

Download Submit
\Program Files (x86)\%teamp%\build.vmp.exe

Filesize
1.6MB

MD5
57782e7d1af8f9875b658df3ebc75112

SHA1
a78d83623a033e816f0460bc372ffd571ce98145

SHA256
c5a14aef67b2a75d40198531c6e36778cd6b8b3cf4b5c5be5719de9257ab121a

SHA512
508a6d17bc8de6a9647bcea5e9d98e3c5232094d77a36eb225876a68c25f4a122fcffd7d32b3985a7648d2b6b6eed8075470c35fd3acf7d5f75faaabfa2ba410

Download Submit
\Program Files (x86)\%teamp%\build.vmp.exe

Filesize
1.1MB

MD5
9e72ced23df36f3a3b812e64ca9fa189

SHA1
74d29d10f6923c7f367b1c4cabbc1fab10712b85

SHA256
041f5edf5a525bda41804fe05b053725c7c48eaa437ad3123dd39d510093ded6

SHA512
f84536ec7c463e8c84c01db3c211c2527102b1394596db3faecd88ace1d24842f82a81b200df191fa7081a3ea8dd97a6263be05177d67afb3282d964030b719c

Download Submit
memory/3008-20-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/3008-17-0x0000000000EF0000-0x0000000001893000-memory.dmp

Filesize
9.6MB

Download
memory/3008-22-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/3008-18-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/3008-24-0x0000000077C20000-0x0000000077C21000-memory.dmp

Filesize
4KB

Download
memory/3008-23-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/3008-26-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/3008-28-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/3008-29-0x0000000000EF0000-0x0000000001893000-memory.dmp

Filesize
9.6MB

Download
memory/3008-49-0x0000000000EF0000-0x0000000001893000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing