pandastealer | cf47849486b54a356e344fa8b4fb6540caec3f602fc44d2c381ef2213c24d135

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf47849486b54a356e344fa8b4fb6540caec3f602fc44d2c381ef2213c24d135.exe
Size

562KB
MD5

f5ce2d7efe8c3aaed87ec7e8adc05f03
SHA1

693bb3cb67684e2b8b73956431b35b97dad92f15
SHA256

cf47849486b54a356e344fa8b4fb6540caec3f602fc44d2c381ef2213c24d135
SHA512

c47ef59080a18c91558685e5526a9e7dd1721e76cea931d947ecec70ee2252d2528332f7b31b8726185dfd220f497ffeb6ef705e3c9ce3aa9146b9c3d6397e16
SSDEEP

12288:J7vT8cGUCZmxIwNjVGCXZqmmJUE/JHkdIUnjoqhPkw4d:Jz4BUCZmxIw1VGCXZ5mJ1kdZnBhY

Score

10^/10

pandastealer phoenixstealer aspackv2 discovery stealer

Malware Config

Signatures

Panda Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/2988-0-0x0000000000EC0000-0x0000000000F52000-memory.dmp	family_pandastealer
behavioral1/memory/2988-32-0x0000000000EC0000-0x0000000000F52000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
PhoenixStealer
PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.
stealer phoenixstealer

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000012118-11.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2476	baHwWv.exe

Loads dropped DLL 2 IoCs

pid	Process
2988	cf47849486b54a356e344fa8b4fb6540caec3f602fc44d2c381ef2213c24d135.exe
2988	cf47849486b54a356e344fa8b4fb6540caec3f602fc44d2c381ef2213c24d135.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	baHwWv.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	baHwWv.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	baHwWv.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	baHwWv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	baHwWv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	baHwWv.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	baHwWv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	baHwWv.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	baHwWv.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	baHwWv.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	baHwWv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	baHwWv.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	baHwWv.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	baHwWv.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	baHwWv.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	baHwWv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	baHwWv.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	baHwWv.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	baHwWv.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	baHwWv.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	baHwWv.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	baHwWv.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	baHwWv.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	baHwWv.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	baHwWv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	baHwWv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	baHwWv.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	baHwWv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	baHwWv.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	baHwWv.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	baHwWv.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	baHwWv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	baHwWv.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	baHwWv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	baHwWv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	baHwWv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	baHwWv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	baHwWv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf47849486b54a356e344fa8b4fb6540caec3f602fc44d2c381ef2213c24d135.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2476	2988	cf47849486b54a356e344fa8b4fb6540caec3f602fc44d2c381ef2213c24d135.exe	31
PID 2988 wrote to memory of 2476	2988	cf47849486b54a356e344fa8b4fb6540caec3f602fc44d2c381ef2213c24d135.exe	31
PID 2988 wrote to memory of 2476	2988	cf47849486b54a356e344fa8b4fb6540caec3f602fc44d2c381ef2213c24d135.exe	31
PID 2988 wrote to memory of 2476	2988	cf47849486b54a356e344fa8b4fb6540caec3f602fc44d2c381ef2213c24d135.exe	31
PID 2476 wrote to memory of 2680	2476	baHwWv.exe	33
PID 2476 wrote to memory of 2680	2476	baHwWv.exe	33
PID 2476 wrote to memory of 2680	2476	baHwWv.exe	33
PID 2476 wrote to memory of 2680	2476	baHwWv.exe	33

C:\Users\Admin\AppData\Local\Temp\cf47849486b54a356e344fa8b4fb6540caec3f602fc44d2c381ef2213c24d135.exe
"C:\Users\Admin\AppData\Local\Temp\cf47849486b54a356e344fa8b4fb6540caec3f602fc44d2c381ef2213c24d135.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\baHwWv.exe
  C:\Users\Admin\AppData\Local\Temp\baHwWv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\4415036a.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4415036a.bat

Filesize
187B

MD5
5fc846af6da58188a1800c0a0d88bd42

SHA1
2b6164cb5ab52bfece6d417bbf96db856d90f784

SHA256
d098996efbcd78b4137cbb4947b1ad13ad3f1c0f95df708dca2a9ea3382a56f8

SHA512
55fbf5a97eb0090d0efcf1f6337836fa5759f7d1e05b1dd98289d7f37740ae369b2e9b6e1844f5f7650d8423f025f129ccfe02213ece3a64ec71378f8594c9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\baHwWv.exe

Filesize
15KB

MD5
f7d21de5c4e81341eccd280c11ddcc9a

SHA1
d4e9ef10d7685d491583c6fa93ae5d9105d815bd

SHA256
4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

SHA512
e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

Download Submit
memory/2476-12-0x0000000000B60000-0x0000000000B69000-memory.dmp

Filesize
36KB

Download
memory/2476-30-0x0000000000B60000-0x0000000000B69000-memory.dmp

Filesize
36KB

Download
memory/2988-0-0x0000000000EC0000-0x0000000000F52000-memory.dmp

Filesize
584KB

Download
memory/2988-9-0x0000000000B60000-0x0000000000B69000-memory.dmp

Filesize
36KB

Download
memory/2988-8-0x0000000000B60000-0x0000000000B69000-memory.dmp

Filesize
36KB

Download
memory/2988-32-0x0000000000EC0000-0x0000000000F52000-memory.dmp

Filesize
584KB

Download