pandastealer | f98599fb97f7bf78335f2be4b6e1d702dc2f2a5d3ae6ed3e5241d76f7d7a916d

Analysis

max time kernel
181s
max time network
187s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 10:35

Target

67bb394e3f08886c8efcbb095326e668.exe
Size

1016KB
MD5

67bb394e3f08886c8efcbb095326e668
SHA1

985f91f46a51a1aba14fe54eff745c1297c95059
SHA256

f98599fb97f7bf78335f2be4b6e1d702dc2f2a5d3ae6ed3e5241d76f7d7a916d
SHA512

02810c59a1b13fb42dc08ab4f742866e53ef0f67af3e4c5dffb7726aa348552eb324dee0bf317b24b9725af12d69b1d6e5509f293f0e8150bc2eddf934c21d18
SSDEEP

24576:KqzOi5P5H/PPt06BU2YjaRYHIV+s/mjlZ:KqzOKR3y6u2BWk+ZjlZ

Score

10^/10

Panda Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2576-4-0x0000000000400000-0x0000000000481000-memory.dmp	family_pandastealer
behavioral1/memory/2576-6-0x0000000000400000-0x0000000000481000-memory.dmp	family_pandastealer
behavioral1/memory/2576-8-0x0000000000400000-0x0000000000481000-memory.dmp	family_pandastealer
behavioral1/memory/2576-16-0x0000000000400000-0x0000000000481000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2576-4-0x0000000000400000-0x0000000000481000-memory.dmp	shurk_stealer
behavioral1/memory/2576-6-0x0000000000400000-0x0000000000481000-memory.dmp	shurk_stealer
behavioral1/memory/2576-8-0x0000000000400000-0x0000000000481000-memory.dmp	shurk_stealer
behavioral1/memory/2576-16-0x0000000000400000-0x0000000000481000-memory.dmp	shurk_stealer

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

Processes:

resource	yara_rule
behavioral1/memory/2832-3-0x0000000001F30000-0x0000000001F40000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

67bb394e3f08886c8efcbb095326e668.exe

description pid process target process

PID 2832 set thread context of 2576 2832 67bb394e3f08886c8efcbb095326e668.exe AddInProcess32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AddInProcess32.exe

pid process

2576 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

67bb394e3f08886c8efcbb095326e668.exe

description pid process

Token: SeDebugPrivilege 2832 67bb394e3f08886c8efcbb095326e668.exe

description	pid	process	target process
PID 2832 set thread context of 2576	2832	67bb394e3f08886c8efcbb095326e668.exe	AddInProcess32.exe

pid	process
2576	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	2832	67bb394e3f08886c8efcbb095326e668.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

67bb394e3f08886c8efcbb095326e668.exe

description	pid	process	target process
PID 2832 wrote to memory of 2576	2832	67bb394e3f08886c8efcbb095326e668.exe	AddInProcess32.exe
PID 2832 wrote to memory of 2576	2832	67bb394e3f08886c8efcbb095326e668.exe	AddInProcess32.exe
PID 2832 wrote to memory of 2576	2832	67bb394e3f08886c8efcbb095326e668.exe	AddInProcess32.exe
PID 2832 wrote to memory of 2576	2832	67bb394e3f08886c8efcbb095326e668.exe	AddInProcess32.exe
PID 2832 wrote to memory of 2576	2832	67bb394e3f08886c8efcbb095326e668.exe	AddInProcess32.exe
PID 2832 wrote to memory of 2576	2832	67bb394e3f08886c8efcbb095326e668.exe	AddInProcess32.exe
PID 2832 wrote to memory of 2576	2832	67bb394e3f08886c8efcbb095326e668.exe	AddInProcess32.exe
PID 2832 wrote to memory of 2576	2832	67bb394e3f08886c8efcbb095326e668.exe	AddInProcess32.exe
PID 2832 wrote to memory of 2576	2832	67bb394e3f08886c8efcbb095326e668.exe	AddInProcess32.exe
PID 2832 wrote to memory of 2576	2832	67bb394e3f08886c8efcbb095326e668.exe	AddInProcess32.exe
PID 2832 wrote to memory of 2576	2832	67bb394e3f08886c8efcbb095326e668.exe	AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2576

memory/2576-4-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2576-6-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2576-8-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2576-16-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2832-0-0x0000000000A20000-0x0000000000B22000-memory.dmp

Filesize
1.0MB

Download
memory/2832-1-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2832-2-0x00000000004D0000-0x0000000000510000-memory.dmp

Filesize
256KB

Download
memory/2832-3-0x0000000001F30000-0x0000000001F40000-memory.dmp

Filesize
64KB

Download
memory/2832-7-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2832-9-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download