pandastealer | 57ad383c47b6423e48e44f750afc38f4e837db3c62eb59e10743d241625259e2

General

Target

9bdffeeb52015df1699b7b0f0aa03cf4.exe
Size

10.9MB
MD5

9bdffeeb52015df1699b7b0f0aa03cf4
SHA1

b9d1f121926acd5a8b146e4675a30d7f8583d2bf
SHA256

57ad383c47b6423e48e44f750afc38f4e837db3c62eb59e10743d241625259e2
SHA512

4e45c2f7ebc96768453340dab5bc29d6a9e998c2c76e424e1af445e13cd89d3b9aafc5233957242fc2dede2e96d35e5cb038b7d3ce6fc47251cc7ca3094875d9
SSDEEP

196608:h5XOsmXgCe4WdIHlJMBJxxviqVVXBgl7ZSr/UyXL23QM2NCfV3d1R9fv7M:jOsmXMeHU9viqeFu8KigMFd1Rm

Score

10^/10

pandastealer spyware stealer vmprotect

Malware Config

Extracted

Family

pandastealer

Version

1.11

C2

http://f0565988.xsph.ru

Signatures

Panda Stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/2408-19-0x0000000001230000-0x0000000001BF4000-memory.dmp	family_pandastealer
behavioral1/memory/2408-30-0x0000000001230000-0x0000000001BF4000-memory.dmp	family_pandastealer
behavioral1/memory/2408-55-0x0000000001230000-0x0000000001BF4000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Executes dropped EXE 1 IoCs

pid	Process
2408	Furios.exe

Loads dropped DLL 4 IoCs

pid	Process
1428	9bdffeeb52015df1699b7b0f0aa03cf4.exe
1428	9bdffeeb52015df1699b7b0f0aa03cf4.exe
1428	9bdffeeb52015df1699b7b0f0aa03cf4.exe
1428	9bdffeeb52015df1699b7b0f0aa03cf4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 9 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000c000000012251-5.dat	vmprotect
behavioral1/files/0x000c000000012251-7.dat	vmprotect
behavioral1/files/0x000c000000012251-8.dat	vmprotect
behavioral1/files/0x000c000000012251-18.dat	vmprotect
behavioral1/files/0x000c000000012251-17.dat	vmprotect
behavioral1/files/0x000c000000012251-12.dat	vmprotect
behavioral1/memory/2408-19-0x0000000001230000-0x0000000001BF4000-memory.dmp	vmprotect
behavioral1/memory/2408-30-0x0000000001230000-0x0000000001BF4000-memory.dmp	vmprotect
behavioral1/memory/2408-55-0x0000000001230000-0x0000000001BF4000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2408	Furios.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2408	Furios.exe
2408	Furios.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 2408	1428	9bdffeeb52015df1699b7b0f0aa03cf4.exe	28
PID 1428 wrote to memory of 2408	1428	9bdffeeb52015df1699b7b0f0aa03cf4.exe	28
PID 1428 wrote to memory of 2408	1428	9bdffeeb52015df1699b7b0f0aa03cf4.exe	28
PID 1428 wrote to memory of 2408	1428	9bdffeeb52015df1699b7b0f0aa03cf4.exe	28

C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe
"C:\Users\Admin\AppData\Local\Temp\9bdffeeb52015df1699b7b0f0aa03cf4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\Furios.exe
  "C:\Users\Admin\AppData\Local\Temp\Furios.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Furios.exe

Filesize
367KB

MD5
872e9aea7b62b7235c3554468d7cf777

SHA1
d3eb44184a1b04d04b0f3f6404360419b73405a3

SHA256
f1b5f9ec19a904d22cd796f0e47547e9c408cf7faeb15ccb76d24ad587c77e56

SHA512
216cf9b65822023828ecc0a16107fe9d3e5a32022ceeacfbaea9d51410b98ef160d5602af9cf712c7ac80c48d2bb48cee492512f37313c6554994fe8de2e8a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Furios.exe

Filesize
365KB

MD5
273caeb949b96b957221d3deec990c38

SHA1
8b510a227480f3f1d149817e82bc35ae5d064672

SHA256
9c4b9ae3df3c72bd3e3a4ad5b0b800e116ab4b0b1d0dd0bd33eb1b80daf1fe12

SHA512
87773afc9a503ffcccdeb80240c98f5e31c36aaa99e6c9ce5bb3d6ede14ab596d09557fe9e7edb549ece519b6eba1bedb0a1fbebb247fad23a89663d709105b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Furios.exe

Filesize
1.9MB

MD5
ddd875cb5f990add95e0fdf4c6746020

SHA1
942ee8a43f51e0595e0943e0b101ce0b2010b915

SHA256
fb0aaad601b07844f94652f3af4e935be5c2ca515667c962ac623c0ee6076e0f

SHA512
829bb6ba8bd9016dea92907a688bd401e9aa6322adcd73e7c13796fbc9372ac7da3ae305b82f9edf03401649eb413767333500159766b39d1b328c3203013bfe

Download Submit
\Users\Admin\AppData\Local\Temp\Furios.exe

Filesize
385KB

MD5
7d808ed46e13d92dfb0aa54d910b931c

SHA1
4181e6d26fcc96df3c899c07615c9856a947ce36

SHA256
60762ebb147a22034f88378b1bae255c2bb7dc9f00d65a5f22ca9e6f98955a8e

SHA512
18fccafd683ac8012bccbbfc457fdaa109db2c38740e21c21f9dd3fbf70396191b455c1cf359599e47857518625b7adadc2c4440c12ff67277ff9b23f17ea532

Download Submit
\Users\Admin\AppData\Local\Temp\Furios.exe

Filesize
1.7MB

MD5
cc774377c065cf2e1dd47d5bf5e3beb9

SHA1
f0850522ae46f3f8eb89ddabb3fa91b967c32aa0

SHA256
dc8008b18dd663ced8773efa2fc2ed98973e209e794ca0eb726a796a2077a749

SHA512
4321a9bdddc7a8813d6cdaab68e8b57fb5d403493b209a2ab243e84bdf2f4095368cd62f497208609ae5abe59e8387eca9d4e9186048baf11696052acf9fd324

Download Submit
\Users\Admin\AppData\Local\Temp\Furios.exe

Filesize
1.2MB

MD5
4d19ab1484e98cb170e50f9bdc590cd6

SHA1
928768f326be44cd2ff9df19c05e947e622c3ec7

SHA256
bc7a11430594ef79f1e1ffef9d53ee903cfeffc5af57c40f716757611987c3af

SHA512
2e068a0faed45af936b7eca338d426d0ffa98046ac56459bd183c85dc2a6913dc245809701f1f7002e4ea944021f9e979141c401485962ee71cc2d59b1b2f3ac

Download Submit
memory/2408-32-0x0000000077810000-0x0000000077811000-memory.dmp

Filesize
4KB

Download
memory/2408-29-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2408-19-0x0000000001230000-0x0000000001BF4000-memory.dmp

Filesize
9.8MB

Download
memory/2408-30-0x0000000001230000-0x0000000001BF4000-memory.dmp

Filesize
9.8MB

Download
memory/2408-27-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2408-25-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2408-24-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2408-22-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2408-20-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2408-55-0x0000000001230000-0x0000000001BF4000-memory.dmp

Filesize
9.8MB

Download

Analysis

Sharing