pandastealer | 933a3b090613a423aa7f9486e5a779f57a967776d8b154a40c078e2bff33f526

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-03-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddos-reaper (2).7z
Size

1.2MB
MD5

359d6a3b91cafd2e9409d32b50e69feb
SHA1

401c0df087cd72461751b80f9800d22e5b2c5fe0
SHA256

933a3b090613a423aa7f9486e5a779f57a967776d8b154a40c078e2bff33f526
SHA512

ad6d54221e1b857b564be496cac3320bd30d197b87d5e3f6f9c24138f154bf051d178631417cd1726f9340d9b91ced19c159bf8f665defb9d77e2f155fd012bc
SSDEEP

24576:kS7p30yyt8cDQsemqxQkqOsnfY5uIXVzZxJwqlJWcoaQm:kS7p30y87DQCHi55VzZAqlJWhg

Score

10^/10

pandastealer phoenixstealer stealer

Malware Config

Signatures

Panda Stealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/2184-81-0x0000000003500000-0x0000000003589000-memory.dmp	family_pandastealer
behavioral1/memory/1616-95-0x0000000000400000-0x000000000048D000-memory.dmp	family_pandastealer
behavioral1/memory/1616-105-0x0000000000400000-0x000000000048D000-memory.dmp	family_pandastealer
behavioral1/memory/2624-108-0x0000000003500000-0x0000000003589000-memory.dmp	family_pandastealer
behavioral1/memory/944-158-0x0000000003500000-0x0000000003589000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
PhoenixStealer
PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.
stealer phoenixstealer

Executes dropped EXE 3 IoCs

pid	Process
2184	ddos-reaper.exe
2624	ddos-reaper.exe
944	ddos-reaper.exe

Loads dropped DLL 2 IoCs

pid	Process
944	ddos-reaper.exe
944	ddos-reaper.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2184 set thread context of 1616	2184	ddos-reaper.exe	32
PID 2624 set thread context of 624	2624	ddos-reaper.exe	35
PID 944 set thread context of 1748	944	ddos-reaper.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2576	7zFM.exe
2576	7zFM.exe
1616	RegSvcs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2576	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2576	7zFM.exe
Token: 35	2576	7zFM.exe
Token: SeSecurityPrivilege	2576	7zFM.exe
Token: SeSecurityPrivilege	2576	7zFM.exe
Token: SeSecurityPrivilege	2576	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2576	7zFM.exe
2576	7zFM.exe
2576	7zFM.exe
2576	7zFM.exe
2576	7zFM.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2576	2344	cmd.exe	29
PID 2344 wrote to memory of 2576	2344	cmd.exe	29
PID 2344 wrote to memory of 2576	2344	cmd.exe	29
PID 2576 wrote to memory of 2184	2576	7zFM.exe	30
PID 2576 wrote to memory of 2184	2576	7zFM.exe	30
PID 2576 wrote to memory of 2184	2576	7zFM.exe	30
PID 2576 wrote to memory of 2184	2576	7zFM.exe	30
PID 2576 wrote to memory of 2624	2576	7zFM.exe	31
PID 2576 wrote to memory of 2624	2576	7zFM.exe	31
PID 2576 wrote to memory of 2624	2576	7zFM.exe	31
PID 2576 wrote to memory of 2624	2576	7zFM.exe	31
PID 2184 wrote to memory of 1616	2184	ddos-reaper.exe	32
PID 2184 wrote to memory of 1616	2184	ddos-reaper.exe	32
PID 2184 wrote to memory of 1616	2184	ddos-reaper.exe	32
PID 2184 wrote to memory of 1616	2184	ddos-reaper.exe	32
PID 2184 wrote to memory of 1616	2184	ddos-reaper.exe	32
PID 2184 wrote to memory of 1616	2184	ddos-reaper.exe	32
PID 2184 wrote to memory of 1616	2184	ddos-reaper.exe	32
PID 2184 wrote to memory of 1616	2184	ddos-reaper.exe	32
PID 2184 wrote to memory of 1616	2184	ddos-reaper.exe	32
PID 2624 wrote to memory of 624	2624	ddos-reaper.exe	35
PID 2624 wrote to memory of 624	2624	ddos-reaper.exe	35
PID 2624 wrote to memory of 624	2624	ddos-reaper.exe	35
PID 2624 wrote to memory of 624	2624	ddos-reaper.exe	35
PID 2624 wrote to memory of 624	2624	ddos-reaper.exe	35
PID 2624 wrote to memory of 624	2624	ddos-reaper.exe	35
PID 2624 wrote to memory of 624	2624	ddos-reaper.exe	35
PID 2624 wrote to memory of 624	2624	ddos-reaper.exe	35
PID 2624 wrote to memory of 624	2624	ddos-reaper.exe	35
PID 944 wrote to memory of 1748	944	ddos-reaper.exe	38
PID 944 wrote to memory of 1748	944	ddos-reaper.exe	38
PID 944 wrote to memory of 1748	944	ddos-reaper.exe	38
PID 944 wrote to memory of 1748	944	ddos-reaper.exe	38
PID 944 wrote to memory of 1748	944	ddos-reaper.exe	38
PID 944 wrote to memory of 1748	944	ddos-reaper.exe	38
PID 944 wrote to memory of 1748	944	ddos-reaper.exe	38
PID 944 wrote to memory of 1748	944	ddos-reaper.exe	38
PID 944 wrote to memory of 1748	944	ddos-reaper.exe	38

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ddos-reaper (2).7z"
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ddos-reaper (2).7z"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1616
- - C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:624

C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe
"C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe

Filesize
1.2MB

MD5
dd20876bf25544aa55e0c3725103c666

SHA1
d00d689de9f35159188935d3bd93677c807ed655

SHA256
33e5d605c1c13a995d4a2d7cb9dca9facda4c97c1c7b41dc349cc756bfc0bd67

SHA512
8e88e8777717d203065144ce594e18f86048c83c83d06ef06f0255f42c0de1bfdb1da2faad2bb39da52a652eb4267af79a84d2822afb6e5e31e27899b70ab9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe

Filesize
938KB

MD5
efc58bf59658217c66218094b45dba17

SHA1
945d40c771cb2c9d780f4adece5f33ce47d798a4

SHA256
35a0e33e4fa16282c5a59be9ccc306a615439ad77e5fbdb3bd9fe8e317372806

SHA512
d59dd85372207f589167195d99eb75b938188b080a88db452d27bcf4142bca692bc3e6db5f2f88302886b4d87f20d666cda4ec7d01e67a15e70e6760da652ad1

Download Submit
C:\Users\Admin\Desktop\ddos-reaper\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
f816666e3fc087cd24828943cb15f260

SHA1
eae814c9c41e3d333f43890ed7dafa3575e4c50e

SHA256
45e0835b1d3b446fe2c347bd87922c53cfb6dd826499e19a1d977bf4c11b0e4a

SHA512
6860abe8ab5220efb88f68b80e6c6e95fe35b4029f46b59bc467e3850fe671bda1c7c1c7b035b287bdfed5daeac879ee481d35330b153ea7ef2532970f62c581

Download Submit
\Users\Admin\Desktop\ddos-reaper\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
6f1a1dfb2761228ccc7d07b8b190054c

SHA1
117d66360c84a0088626e22d8b3b4b685cb70d56

SHA256
c81c4bba4e5f205359ad145963f6fbd074879047c66569f52b6d66711108e1ed

SHA512
480b4f9179d5da56010fa90e1937fe3a232f2f8682596c16eeaed08f57cf8cffeaa506060429501764f695cb6c5b3e56b0037de948c4d0e3933f022a0b4103d2

Download Submit
memory/944-153-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/944-151-0x0000000003500000-0x0000000003589000-memory.dmp

Filesize
548KB

Download
memory/944-158-0x0000000003500000-0x0000000003589000-memory.dmp

Filesize
548KB

Download
memory/944-156-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/944-155-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/944-152-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/944-148-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/944-154-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/944-142-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/944-169-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/944-146-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/944-149-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/944-150-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/1616-95-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1616-101-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1616-93-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1616-105-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2184-64-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/2184-46-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/2184-53-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/2184-52-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2184-51-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2184-50-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2184-49-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/2184-48-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2184-47-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2184-62-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2184-61-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2184-55-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2184-63-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/2184-65-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2184-66-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2184-67-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/2184-68-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/2184-81-0x0000000003500000-0x0000000003589000-memory.dmp

Filesize
548KB

Download
memory/2184-92-0x00000000008F0000-0x00000000009F0000-memory.dmp

Filesize
1024KB

Download
memory/2184-35-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/2184-38-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2184-39-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2184-56-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2184-36-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/2184-40-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2184-42-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2184-41-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2184-43-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2184-44-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/2184-45-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2184-57-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2184-58-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/2184-59-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/2184-60-0x0000000003500000-0x0000000003589000-memory.dmp

Filesize
548KB

Download
memory/2184-54-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2624-115-0x0000000000990000-0x0000000000A90000-memory.dmp

Filesize
1024KB

Download
memory/2624-108-0x0000000003500000-0x0000000003589000-memory.dmp

Filesize
548KB

Download
memory/2624-106-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/2624-87-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/2624-88-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/2624-89-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2624-86-0x0000000003500000-0x0000000003589000-memory.dmp

Filesize
548KB

Download
memory/2624-84-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2624-85-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/2624-83-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download