Malware Analysis Report

2024-09-22 15:32

Sample ID 240318-q3xt2sah4y
Target d3aae7eeb8c80b9c78f822f247971f0c
SHA256 789ed5dea5048cc4f14f02c36e137a95781b5ae4b167e0c3822cff4f3c98ac01
Tags
pandastealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

789ed5dea5048cc4f14f02c36e137a95781b5ae4b167e0c3822cff4f3c98ac01

Threat Level: Known bad

The file d3aae7eeb8c80b9c78f822f247971f0c was found to be: Known bad.

Malicious Activity Summary

pandastealer spyware stealer

Panda Stealer payload

Pandastealer family

PandaStealer

Deletes itself

Reads user/profile data of web browsers

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-18 13:47

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Pandastealer family

pandastealer

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-18 13:47

Reported

2024-03-18 13:50

Platform

win10v2004-20231215-en

Max time kernel

130s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d3aae7eeb8c80b9c78f822f247971f0c.exe"

Signatures

PandaStealer

stealer pandastealer

Reads user/profile data of web browsers

spyware stealer

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d3aae7eeb8c80b9c78f822f247971f0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d3aae7eeb8c80b9c78f822f247971f0c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d3aae7eeb8c80b9c78f822f247971f0c.exe

"C:\Users\Admin\AppData\Local\Temp\d3aae7eeb8c80b9c78f822f247971f0c.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C Del /f /q "C:\Users\Admin\AppData\Local\Temp\d3aae7eeb8c80b9c78f822f247971f0c.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 collector-node.us udp
US 8.8.8.8:53 collector-steal.ga udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-18 13:47

Reported

2024-03-18 13:50

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d3aae7eeb8c80b9c78f822f247971f0c.exe"

Signatures

PandaStealer

stealer pandastealer

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d3aae7eeb8c80b9c78f822f247971f0c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d3aae7eeb8c80b9c78f822f247971f0c.exe

"C:\Users\Admin\AppData\Local\Temp\d3aae7eeb8c80b9c78f822f247971f0c.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C Del /f /q "C:\Users\Admin\AppData\Local\Temp\d3aae7eeb8c80b9c78f822f247971f0c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 collector-node.us udp
US 8.8.8.8:53 collector-steal.ga udp

Files

N/A