pandastealer | f98599fb97f7bf78335f2be4b6e1d702dc2f2a5d3ae6ed3e5241d76f7d7a916d

Analysis

max time kernel
140s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2024 13:28

Target

67bb394e3f08886c8efcbb095326e668.exe
Size

1016KB
MD5

67bb394e3f08886c8efcbb095326e668
SHA1

985f91f46a51a1aba14fe54eff745c1297c95059
SHA256

f98599fb97f7bf78335f2be4b6e1d702dc2f2a5d3ae6ed3e5241d76f7d7a916d
SHA512

02810c59a1b13fb42dc08ab4f742866e53ef0f67af3e4c5dffb7726aa348552eb324dee0bf317b24b9725af12d69b1d6e5509f293f0e8150bc2eddf934c21d18
SSDEEP

24576:KqzOi5P5H/PPt06BU2YjaRYHIV+s/mjlZ:KqzOKR3y6u2BWk+ZjlZ

Score

10^/10

Panda Stealer payload 5 IoCs

resource	yara_rule
behavioral2/memory/1420-8-0x0000000000400000-0x0000000000481000-memory.dmp	family_pandastealer
behavioral2/memory/1420-9-0x0000000000400000-0x0000000000481000-memory.dmp	family_pandastealer
behavioral2/memory/1420-11-0x0000000000400000-0x0000000000481000-memory.dmp	family_pandastealer
behavioral2/memory/1420-14-0x0000000000400000-0x0000000000481000-memory.dmp	family_pandastealer
behavioral2/memory/1420-38-0x0000000000400000-0x0000000000481000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 5 IoCs

resource	yara_rule
behavioral2/memory/1420-8-0x0000000000400000-0x0000000000481000-memory.dmp	shurk_stealer
behavioral2/memory/1420-9-0x0000000000400000-0x0000000000481000-memory.dmp	shurk_stealer
behavioral2/memory/1420-11-0x0000000000400000-0x0000000000481000-memory.dmp	shurk_stealer
behavioral2/memory/1420-14-0x0000000000400000-0x0000000000481000-memory.dmp	shurk_stealer
behavioral2/memory/1420-38-0x0000000000400000-0x0000000000481000-memory.dmp	shurk_stealer

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

resource	yara_rule
behavioral2/memory/2376-7-0x0000000005160000-0x0000000005170000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 1420	2376	67bb394e3f08886c8efcbb095326e668.exe	96

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1420	AddInProcess32.exe
1420	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	67bb394e3f08886c8efcbb095326e668.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1420	2376	67bb394e3f08886c8efcbb095326e668.exe	96
PID 2376 wrote to memory of 1420	2376	67bb394e3f08886c8efcbb095326e668.exe	96
PID 2376 wrote to memory of 1420	2376	67bb394e3f08886c8efcbb095326e668.exe	96
PID 2376 wrote to memory of 1420	2376	67bb394e3f08886c8efcbb095326e668.exe	96
PID 2376 wrote to memory of 1420	2376	67bb394e3f08886c8efcbb095326e668.exe	96
PID 2376 wrote to memory of 1420	2376	67bb394e3f08886c8efcbb095326e668.exe	96
PID 2376 wrote to memory of 1420	2376	67bb394e3f08886c8efcbb095326e668.exe	96
PID 2376 wrote to memory of 1420	2376	67bb394e3f08886c8efcbb095326e668.exe	96
PID 2376 wrote to memory of 1420	2376	67bb394e3f08886c8efcbb095326e668.exe	96
PID 2376 wrote to memory of 1420	2376	67bb394e3f08886c8efcbb095326e668.exe	96

C:\Users\Admin\AppData\Local\Temp\67bb394e3f08886c8efcbb095326e668.exe
"C:\Users\Admin\AppData\Local\Temp\67bb394e3f08886c8efcbb095326e668.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1420

memory/1420-8-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1420-38-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1420-14-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1420-11-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1420-9-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2376-3-0x0000000005330000-0x00000000058D4000-memory.dmp

Filesize
5.6MB

Download
memory/2376-6-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/2376-7-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/2376-5-0x0000000005150000-0x000000000515A000-memory.dmp

Filesize
40KB

Download
memory/2376-4-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2376-0-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/2376-12-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2376-13-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/2376-2-0x0000000004C80000-0x0000000004D12000-memory.dmp

Filesize
584KB

Download
memory/2376-1-0x0000000000170000-0x0000000000272000-memory.dmp

Filesize
1.0MB

Download