pandastealer | 933a3b090613a423aa7f9486e5a779f57a967776d8b154a40c078e2bff33f526

General

Target

ddos-reaper (2).7z
Size

1.2MB
MD5

359d6a3b91cafd2e9409d32b50e69feb
SHA1

401c0df087cd72461751b80f9800d22e5b2c5fe0
SHA256

933a3b090613a423aa7f9486e5a779f57a967776d8b154a40c078e2bff33f526
SHA512

ad6d54221e1b857b564be496cac3320bd30d197b87d5e3f6f9c24138f154bf051d178631417cd1726f9340d9b91ced19c159bf8f665defb9d77e2f155fd012bc
SSDEEP

24576:kS7p30yyt8cDQsemqxQkqOsnfY5uIXVzZxJwqlJWcoaQm:kS7p30y87DQCHi55VzZAqlJWhg

Score

10^/10

pandastealer phoenixstealer stealer

Malware Config

Signatures

Panda Stealer payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2184-81-0x0000000003500000-0x0000000003589000-memory.dmp	family_pandastealer
behavioral1/memory/1616-95-0x0000000000400000-0x000000000048D000-memory.dmp	family_pandastealer
behavioral1/memory/1616-105-0x0000000000400000-0x000000000048D000-memory.dmp	family_pandastealer
behavioral1/memory/2624-108-0x0000000003500000-0x0000000003589000-memory.dmp	family_pandastealer
behavioral1/memory/944-158-0x0000000003500000-0x0000000003589000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
PhoenixStealer
PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.
stealer phoenixstealer
Executes dropped EXE 3 IoCs

Processes:

ddos-reaper.exeddos-reaper.exeddos-reaper.exe

pid process

2184 ddos-reaper.exe
2624 ddos-reaper.exe
944 ddos-reaper.exe
Loads dropped DLL 2 IoCs

Processes:

ddos-reaper.exe

pid process

944 ddos-reaper.exe
944 ddos-reaper.exe

pid	process
2184	ddos-reaper.exe
2624	ddos-reaper.exe
944	ddos-reaper.exe

pid	process
944	ddos-reaper.exe
944	ddos-reaper.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ddos-reaper.exeddos-reaper.exeddos-reaper.exe

description	pid	process	target process
PID 2184 set thread context of 1616	2184	ddos-reaper.exe	RegSvcs.exe
PID 2624 set thread context of 624	2624	ddos-reaper.exe	RegSvcs.exe
PID 944 set thread context of 1748	944	ddos-reaper.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

7zFM.exeRegSvcs.exe

pid process

2576 7zFM.exe
2576 7zFM.exe
1616 RegSvcs.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2576 7zFM.exe

pid	process
2576	7zFM.exe
2576	7zFM.exe
1616	RegSvcs.exe

pid	process
2576	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zFM.exe

description	pid	process
Token: SeRestorePrivilege	2576	7zFM.exe
Token: 35	2576	7zFM.exe
Token: SeSecurityPrivilege	2576	7zFM.exe
Token: SeSecurityPrivilege	2576	7zFM.exe
Token: SeSecurityPrivilege	2576	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

7zFM.exe

pid process

2576 7zFM.exe
2576 7zFM.exe
2576 7zFM.exe
2576 7zFM.exe
2576 7zFM.exe

pid	process
2576	7zFM.exe
2576	7zFM.exe
2576	7zFM.exe
2576	7zFM.exe
2576	7zFM.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

cmd.exe7zFM.exeddos-reaper.exeddos-reaper.exeddos-reaper.exe

description	pid	process	target process
PID 2344 wrote to memory of 2576	2344	cmd.exe	7zFM.exe
PID 2344 wrote to memory of 2576	2344	cmd.exe	7zFM.exe
PID 2344 wrote to memory of 2576	2344	cmd.exe	7zFM.exe
PID 2576 wrote to memory of 2184	2576	7zFM.exe	ddos-reaper.exe
PID 2576 wrote to memory of 2184	2576	7zFM.exe	ddos-reaper.exe
PID 2576 wrote to memory of 2184	2576	7zFM.exe	ddos-reaper.exe
PID 2576 wrote to memory of 2184	2576	7zFM.exe	ddos-reaper.exe
PID 2576 wrote to memory of 2624	2576	7zFM.exe	ddos-reaper.exe
PID 2576 wrote to memory of 2624	2576	7zFM.exe	ddos-reaper.exe
PID 2576 wrote to memory of 2624	2576	7zFM.exe	ddos-reaper.exe
PID 2576 wrote to memory of 2624	2576	7zFM.exe	ddos-reaper.exe
PID 2184 wrote to memory of 1616	2184	ddos-reaper.exe	RegSvcs.exe
PID 2184 wrote to memory of 1616	2184	ddos-reaper.exe	RegSvcs.exe
PID 2184 wrote to memory of 1616	2184	ddos-reaper.exe	RegSvcs.exe
PID 2184 wrote to memory of 1616	2184	ddos-reaper.exe	RegSvcs.exe
PID 2184 wrote to memory of 1616	2184	ddos-reaper.exe	RegSvcs.exe
PID 2184 wrote to memory of 1616	2184	ddos-reaper.exe	RegSvcs.exe
PID 2184 wrote to memory of 1616	2184	ddos-reaper.exe	RegSvcs.exe
PID 2184 wrote to memory of 1616	2184	ddos-reaper.exe	RegSvcs.exe
PID 2184 wrote to memory of 1616	2184	ddos-reaper.exe	RegSvcs.exe
PID 2624 wrote to memory of 624	2624	ddos-reaper.exe	RegSvcs.exe
PID 2624 wrote to memory of 624	2624	ddos-reaper.exe	RegSvcs.exe
PID 2624 wrote to memory of 624	2624	ddos-reaper.exe	RegSvcs.exe
PID 2624 wrote to memory of 624	2624	ddos-reaper.exe	RegSvcs.exe
PID 2624 wrote to memory of 624	2624	ddos-reaper.exe	RegSvcs.exe
PID 2624 wrote to memory of 624	2624	ddos-reaper.exe	RegSvcs.exe
PID 2624 wrote to memory of 624	2624	ddos-reaper.exe	RegSvcs.exe
PID 2624 wrote to memory of 624	2624	ddos-reaper.exe	RegSvcs.exe
PID 2624 wrote to memory of 624	2624	ddos-reaper.exe	RegSvcs.exe
PID 944 wrote to memory of 1748	944	ddos-reaper.exe	RegSvcs.exe
PID 944 wrote to memory of 1748	944	ddos-reaper.exe	RegSvcs.exe
PID 944 wrote to memory of 1748	944	ddos-reaper.exe	RegSvcs.exe
PID 944 wrote to memory of 1748	944	ddos-reaper.exe	RegSvcs.exe
PID 944 wrote to memory of 1748	944	ddos-reaper.exe	RegSvcs.exe
PID 944 wrote to memory of 1748	944	ddos-reaper.exe	RegSvcs.exe
PID 944 wrote to memory of 1748	944	ddos-reaper.exe	RegSvcs.exe
PID 944 wrote to memory of 1748	944	ddos-reaper.exe	RegSvcs.exe
PID 944 wrote to memory of 1748	944	ddos-reaper.exe	RegSvcs.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ddos-reaper (2).7z"
1⤵
- Suspicious use of WriteProcessMemory
PID:2344

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ddos-reaper (2).7z"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe
"C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616

C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe
"C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:624

C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe
"C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe
Filesize
1.2MB

MD5
dd20876bf25544aa55e0c3725103c666

SHA1
d00d689de9f35159188935d3bd93677c807ed655

SHA256
33e5d605c1c13a995d4a2d7cb9dca9facda4c97c1c7b41dc349cc756bfc0bd67

SHA512
8e88e8777717d203065144ce594e18f86048c83c83d06ef06f0255f42c0de1bfdb1da2faad2bb39da52a652eb4267af79a84d2822afb6e5e31e27899b70ab9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe
Filesize
938KB

MD5
efc58bf59658217c66218094b45dba17

SHA1
945d40c771cb2c9d780f4adece5f33ce47d798a4

SHA256
35a0e33e4fa16282c5a59be9ccc306a615439ad77e5fbdb3bd9fe8e317372806

SHA512
d59dd85372207f589167195d99eb75b938188b080a88db452d27bcf4142bca692bc3e6db5f2f88302886b4d87f20d666cda4ec7d01e67a15e70e6760da652ad1

Download Submit
C:\Users\Admin\Desktop\ddos-reaper\api-ms-win-crt-string-l1-1-0.dll
Filesize
17KB

MD5
f816666e3fc087cd24828943cb15f260

SHA1
eae814c9c41e3d333f43890ed7dafa3575e4c50e

SHA256
45e0835b1d3b446fe2c347bd87922c53cfb6dd826499e19a1d977bf4c11b0e4a

SHA512
6860abe8ab5220efb88f68b80e6c6e95fe35b4029f46b59bc467e3850fe671bda1c7c1c7b035b287bdfed5daeac879ee481d35330b153ea7ef2532970f62c581

Download Submit
\Users\Admin\Desktop\ddos-reaper\api-ms-win-crt-utility-l1-1-0.dll
Filesize
11KB

MD5
6f1a1dfb2761228ccc7d07b8b190054c

SHA1
117d66360c84a0088626e22d8b3b4b685cb70d56

SHA256
c81c4bba4e5f205359ad145963f6fbd074879047c66569f52b6d66711108e1ed

SHA512
480b4f9179d5da56010fa90e1937fe3a232f2f8682596c16eeaed08f57cf8cffeaa506060429501764f695cb6c5b3e56b0037de948c4d0e3933f022a0b4103d2

Download Submit
memory/944-153-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/944-151-0x0000000003500000-0x0000000003589000-memory.dmp

Filesize
548KB

Download
memory/944-158-0x0000000003500000-0x0000000003589000-memory.dmp

Filesize
548KB

Download
memory/944-156-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/944-155-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/944-152-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/944-148-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/944-154-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/944-142-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/944-169-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/944-146-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/944-149-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/944-150-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/1616-95-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1616-101-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1616-93-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1616-105-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2184-64-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/2184-46-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/2184-53-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/2184-52-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2184-51-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2184-50-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2184-49-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/2184-48-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2184-47-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2184-62-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2184-61-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2184-55-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2184-63-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/2184-65-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2184-66-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2184-67-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/2184-68-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/2184-81-0x0000000003500000-0x0000000003589000-memory.dmp

Filesize
548KB

Download
memory/2184-92-0x00000000008F0000-0x00000000009F0000-memory.dmp

Filesize
1024KB

Download
memory/2184-35-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/2184-38-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2184-39-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2184-56-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2184-36-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/2184-40-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2184-42-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2184-41-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2184-43-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2184-44-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/2184-45-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2184-57-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2184-58-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/2184-59-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/2184-60-0x0000000003500000-0x0000000003589000-memory.dmp

Filesize
548KB

Download
memory/2184-54-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2624-115-0x0000000000990000-0x0000000000A90000-memory.dmp

Filesize
1024KB

Download
memory/2624-108-0x0000000003500000-0x0000000003589000-memory.dmp

Filesize
548KB

Download
memory/2624-106-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/2624-87-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/2624-88-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/2624-89-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2624-86-0x0000000003500000-0x0000000003589000-memory.dmp

Filesize
548KB

Download
memory/2624-84-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2624-85-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/2624-83-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads