General

  • Target

    9bdffeeb52015df1699b7b0f0aa03cf4

  • Size

    10.9MB

  • Sample

    231227-b83vxsghh5

  • MD5

    9bdffeeb52015df1699b7b0f0aa03cf4

  • SHA1

    b9d1f121926acd5a8b146e4675a30d7f8583d2bf

  • SHA256

    57ad383c47b6423e48e44f750afc38f4e837db3c62eb59e10743d241625259e2

  • SHA512

    4e45c2f7ebc96768453340dab5bc29d6a9e998c2c76e424e1af445e13cd89d3b9aafc5233957242fc2dede2e96d35e5cb038b7d3ce6fc47251cc7ca3094875d9

  • SSDEEP

    196608:h5XOsmXgCe4WdIHlJMBJxxviqVVXBgl7ZSr/UyXL23QM2NCfV3d1R9fv7M:jOsmXMeHU9viqeFu8KigMFd1Rm

Malware Config

Extracted

Family

pandastealer

Version

1.11

C2

http://f0565988.xsph.ru

Targets

    • Target

      9bdffeeb52015df1699b7b0f0aa03cf4

    • Size

      10.9MB

    • MD5

      9bdffeeb52015df1699b7b0f0aa03cf4

    • SHA1

      b9d1f121926acd5a8b146e4675a30d7f8583d2bf

    • SHA256

      57ad383c47b6423e48e44f750afc38f4e837db3c62eb59e10743d241625259e2

    • SHA512

      4e45c2f7ebc96768453340dab5bc29d6a9e998c2c76e424e1af445e13cd89d3b9aafc5233957242fc2dede2e96d35e5cb038b7d3ce6fc47251cc7ca3094875d9

    • SSDEEP

      196608:h5XOsmXgCe4WdIHlJMBJxxviqVVXBgl7ZSr/UyXL23QM2NCfV3d1R9fv7M:jOsmXMeHU9viqeFu8KigMFd1Rm

    • Panda Stealer payload

    • PandaStealer

      Panda Stealer is a fork of CollectorProject Stealer written in C++.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks