pandastealer | 933a3b090613a423aa7f9486e5a779f57a967776d8b154a40c078e2bff33f526

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddos-reaper (2).7z
Size

1.2MB
MD5

359d6a3b91cafd2e9409d32b50e69feb
SHA1

401c0df087cd72461751b80f9800d22e5b2c5fe0
SHA256

933a3b090613a423aa7f9486e5a779f57a967776d8b154a40c078e2bff33f526
SHA512

ad6d54221e1b857b564be496cac3320bd30d197b87d5e3f6f9c24138f154bf051d178631417cd1726f9340d9b91ced19c159bf8f665defb9d77e2f155fd012bc
SSDEEP

24576:kS7p30yyt8cDQsemqxQkqOsnfY5uIXVzZxJwqlJWcoaQm:kS7p30y87DQCHi55VzZAqlJWhg

Score

10^/10

pandastealer phoenixstealer stealer

Malware Config

Signatures

Panda Stealer payload 5 IoCs

resource	yara_rule
behavioral2/memory/2468-130-0x0000000000400000-0x000000000048D000-memory.dmp	family_pandastealer
behavioral2/memory/2468-139-0x0000000000400000-0x000000000048D000-memory.dmp	family_pandastealer
behavioral2/memory/3360-279-0x0000000000700000-0x000000000078D000-memory.dmp	family_pandastealer
behavioral2/memory/3360-288-0x0000000000700000-0x000000000078D000-memory.dmp	family_pandastealer
behavioral2/memory/3040-353-0x0000000000400000-0x000000000048D000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
PhoenixStealer
PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.
stealer phoenixstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
696	ddos-reaper.exe
8	ddos-reaper.exe
4868	ddos-reaper.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 696 set thread context of 2468	696	ddos-reaper.exe	111
PID 8 set thread context of 3360	8	ddos-reaper.exe	119
PID 4868 set thread context of 3040	4868	ddos-reaper.exe	125

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4316	696	WerFault.exe	105
3404	8	WerFault.exe	116
4680	4868	WerFault.exe	118

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2468	RegSvcs.exe
2468	RegSvcs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1780	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1780	7zFM.exe
Token: 35	1780	7zFM.exe
Token: SeSecurityPrivilege	1780	7zFM.exe
Token: SeSecurityPrivilege	1780	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1780	7zFM.exe
1780	7zFM.exe
1780	7zFM.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 1780	4128	cmd.exe	92
PID 4128 wrote to memory of 1780	4128	cmd.exe	92
PID 1780 wrote to memory of 696	1780	7zFM.exe	105
PID 1780 wrote to memory of 696	1780	7zFM.exe	105
PID 1780 wrote to memory of 696	1780	7zFM.exe	105
PID 696 wrote to memory of 2468	696	ddos-reaper.exe	111
PID 696 wrote to memory of 2468	696	ddos-reaper.exe	111
PID 696 wrote to memory of 2468	696	ddos-reaper.exe	111
PID 696 wrote to memory of 2468	696	ddos-reaper.exe	111
PID 696 wrote to memory of 2468	696	ddos-reaper.exe	111
PID 8 wrote to memory of 3360	8	ddos-reaper.exe	119
PID 8 wrote to memory of 3360	8	ddos-reaper.exe	119
PID 8 wrote to memory of 3360	8	ddos-reaper.exe	119
PID 8 wrote to memory of 3360	8	ddos-reaper.exe	119
PID 8 wrote to memory of 3360	8	ddos-reaper.exe	119
PID 4868 wrote to memory of 3040	4868	ddos-reaper.exe	125
PID 4868 wrote to memory of 3040	4868	ddos-reaper.exe	125
PID 4868 wrote to memory of 3040	4868	ddos-reaper.exe	125
PID 4868 wrote to memory of 3040	4868	ddos-reaper.exe	125
PID 4868 wrote to memory of 3040	4868	ddos-reaper.exe	125

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ddos-reaper (2).7z"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ddos-reaper (2).7z"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Users\Admin\AppData\Local\Temp\7zO4F63ABB7\ddos-reaper.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO4F63ABB7\ddos-reaper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 440
      4⤵
      Program crash
      PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 696 -ip 696
1⤵
PID:4460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3712

C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe
"C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:3360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 440
  2⤵
  - Program crash
  PID:3404

C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe
"C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:3040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 412
  2⤵
  - Program crash
  PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 8 -ip 8
1⤵
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4868 -ip 4868
1⤵
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO4F63ABB7\ddos-reaper.exe

Filesize
1.2MB

MD5
dd20876bf25544aa55e0c3725103c666

SHA1
d00d689de9f35159188935d3bd93677c807ed655

SHA256
33e5d605c1c13a995d4a2d7cb9dca9facda4c97c1c7b41dc349cc756bfc0bd67

SHA512
8e88e8777717d203065144ce594e18f86048c83c83d06ef06f0255f42c0de1bfdb1da2faad2bb39da52a652eb4267af79a84d2822afb6e5e31e27899b70ab9fc

Download Submit
C:\Users\Admin\Desktop\ddos-reaper\headers.txt

Filesize
226B

MD5
d96df362a721b7f2e5069f282231d008

SHA1
66506f444bcf6a3b0ab1d790598e64997f56a349

SHA256
8b834227d25fd9777362c074d3184c480f3ca1c51ac287c84097bb90ff1b9346

SHA512
121de04f3f8b4e34046e780605303508948e381e909b6cda5bc8cad61859ffc5ea0a82e700c3550b35aff88bcad699ab9c3266c1b4bb4daff36ff5bef11e302b

Download Submit
memory/8-197-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/696-11-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/696-13-0x00000000025F0000-0x0000000002650000-memory.dmp

Filesize
384KB

Download
memory/696-14-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/696-15-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/696-16-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/696-17-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/696-18-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/696-19-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/696-20-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/696-21-0x0000000003760000-0x0000000003761000-memory.dmp

Filesize
4KB

Download
memory/696-22-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/696-26-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/696-27-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/696-25-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/696-28-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/696-24-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/696-23-0x0000000003750000-0x0000000003751000-memory.dmp

Filesize
4KB

Download
memory/696-29-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/696-30-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/696-31-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/696-33-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/696-32-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/696-34-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/696-35-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/696-36-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-37-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-38-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-39-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-40-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-41-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-42-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-43-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-44-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-45-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-46-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-47-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-48-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-49-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-50-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-51-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-53-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-52-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-54-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-55-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-56-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-57-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-58-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-59-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-61-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-60-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-62-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-63-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/696-64-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/696-65-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/696-67-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/696-66-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/696-68-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/696-69-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/696-70-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/696-71-0x00000000025F0000-0x0000000002650000-memory.dmp

Filesize
384KB

Download
memory/696-73-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-74-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-76-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-77-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-75-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/2468-130-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2468-139-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3040-353-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3360-279-0x0000000000700000-0x000000000078D000-memory.dmp

Filesize
564KB

Download
memory/3360-288-0x0000000000700000-0x000000000078D000-memory.dmp

Filesize
564KB

Download
memory/4868-290-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download