pandastealer | e0cc6ae1f2a402c12678c97f63f6e97cad35090ccca5c1a280a3beef0b716e88

General

Target

a58ba0338bc617fdc6e60f0a0c5ef655.exe
Size

1.4MB
MD5

a58ba0338bc617fdc6e60f0a0c5ef655
SHA1

9fab93502863d7e5e39778cdd613f258081638c3
SHA256

e0cc6ae1f2a402c12678c97f63f6e97cad35090ccca5c1a280a3beef0b716e88
SHA512

ee507c9b632c71e49c18c95b10d290dda456a0422fd1659fc41e6d2c58a5b82f1428f7d4d4190d961e81cc30b42e1444a17b52392a95f3c451bdc2b2eec8deff
SSDEEP

24576:qlc5i8jgFm3YKQbc4ib20TsTUyLo4H/hach1H2bF89lAZuBk4WIWV:qlc5wKMcjabE4THRlAmWIW

Score

10^/10

pandastealer spyware stealer

Malware Config

Extracted

Family

pandastealer

Version

1.11

C2

http://f0570666.xsph.ru

Signatures

Panda Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1616-33-0x00000000011B0000-0x00000000015C6000-memory.dmp	family_pandastealer
behavioral1/memory/1616-34-0x00000000011B0000-0x00000000015C6000-memory.dmp	family_pandastealer
behavioral1/memory/1616-35-0x00000000011B0000-0x00000000015C6000-memory.dmp	family_pandastealer
behavioral1/memory/1616-40-0x00000000011B0000-0x00000000015C6000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Executes dropped EXE 1 IoCs

pid	Process
1616	build_protected.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1616	build_protected.exe
1616	build_protected.exe
1616	build_protected.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1616	build_protected.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1616	build_protected.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 1616	2772	a58ba0338bc617fdc6e60f0a0c5ef655.exe	28
PID 2772 wrote to memory of 1616	2772	a58ba0338bc617fdc6e60f0a0c5ef655.exe	28
PID 2772 wrote to memory of 1616	2772	a58ba0338bc617fdc6e60f0a0c5ef655.exe	28
PID 2772 wrote to memory of 1616	2772	a58ba0338bc617fdc6e60f0a0c5ef655.exe	28

C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe
"C:\Users\Admin\AppData\Local\Temp\a58ba0338bc617fdc6e60f0a0c5ef655.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\build_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\build_protected.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\build_protected.exe

Filesize
463KB

MD5
e4105c1123a03f1129581ebb73d654f1

SHA1
419c7112bebff16b371e46903555b880b8c3a472

SHA256
d45fb4636b3a34a9caf096ea01cf71cd9f31542c7e0630a408b43586bc0d8f9d

SHA512
8830c9a1df0b0393c44929ac55b42937102172021ea88cb4ab7507e5ceca9d5613387ac1c8fa389bf65851a62e3cc43d05e62b36f7e789b6be2a26e35d77722f

Download Submit
C:\Users\Admin\AppData\Local\Temp\build_protected.exe

Filesize
594KB

MD5
97ecd8350f52dccff5736e034267a11f

SHA1
dcf43392772c0a80ef297688222beaeadf304942

SHA256
c27e99767cedf120bb0df7500bc70045c378c6ed85bc6d18946fe3bee3813036

SHA512
d0307119d501763dc3f4cfbac0af9bf4cb8b036f19a50fbbd6c45570b616eeeb6b346de811ce9d75e7e81b61b0968f2b31dbe22dd75694f1c387b74e037d35a4

Download Submit
\??\c:\users\admin\appdata\local\temp\build_protected.exe

Filesize
271KB

MD5
34f1055468ee817a259b5b822c65f7ab

SHA1
a0c2825de7f67c221823b48682d233a29914bd0e

SHA256
797832ced7ee49a9c04d9dfb68cde33cff9fbae4e2761b92a0f41ec31875c6fa

SHA512
e59731d34c35c7da4c785fb8290f67cfe60fa6306935b359d0a1462045984dcf920548ea7eb307747ed2f971e0c79cacde0c30cf678eff05a1ac4103b8662fe5

Download Submit
memory/1616-11-0x00000000011B0000-0x00000000015C6000-memory.dmp

Filesize
4.1MB

Download
memory/1616-12-0x00000000011B0000-0x00000000015C6000-memory.dmp

Filesize
4.1MB

Download
memory/1616-14-0x00000000011B0000-0x00000000015C6000-memory.dmp

Filesize
4.1MB

Download
memory/1616-33-0x00000000011B0000-0x00000000015C6000-memory.dmp

Filesize
4.1MB

Download
memory/1616-34-0x00000000011B0000-0x00000000015C6000-memory.dmp

Filesize
4.1MB

Download
memory/1616-35-0x00000000011B0000-0x00000000015C6000-memory.dmp

Filesize
4.1MB

Download
memory/1616-40-0x00000000011B0000-0x00000000015C6000-memory.dmp

Filesize
4.1MB

Download
memory/2772-2-0x000000001B3D0000-0x000000001B450000-memory.dmp

Filesize
512KB

Download
memory/2772-1-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2772-13-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2772-0-0x00000000013A0000-0x0000000001510000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing