pandastealer

Sharing

Copy URL

Twitter E-mail

General

Target

337f603c8b740238d363cca78e8687d5_JaffaCakes118
Size

4.7MB
Sample

241011-geqldsxhjf
MD5

337f603c8b740238d363cca78e8687d5
SHA1

a6b9fce6d9bbd232d779b0fbae39a746613e4397
SHA256

5a2421a99391c5deb961e8f6dbbb5a660531192c2fa279061d6d637bb9656947
SHA512

e3ed5235ccc8f8b18e318baf54ebec38b2c6281be08290d2c0ba42fcdb0d4e99eefe2014904a2c75c94efbd7e3d96d0d3ee471c27334ec991f96344a32171cef
SSDEEP

98304:JfyFY1bgUxBPwBwVIJMIcjE0PAK+AV/YbcDklVkH343uKS:JaFYmOPw6VIJMIcjL2wwflKH343tS

Score

10^/10

Malware Config

Targets

- Target
  
  337f603c8b740238d363cca78e8687d5_JaffaCakes118
- Size
  
  4.7MB
- MD5
  
  337f603c8b740238d363cca78e8687d5
- SHA1
  
  a6b9fce6d9bbd232d779b0fbae39a746613e4397
- SHA256
  
  5a2421a99391c5deb961e8f6dbbb5a660531192c2fa279061d6d637bb9656947
- SHA512
  
  e3ed5235ccc8f8b18e318baf54ebec38b2c6281be08290d2c0ba42fcdb0d4e99eefe2014904a2c75c94efbd7e3d96d0d3ee471c27334ec991f96344a32171cef
- SSDEEP
  
  98304:JfyFY1bgUxBPwBwVIJMIcjE0PAK+AV/YbcDklVkH343uKS:JaFYmOPw6VIJMIcjL2wwflKH343tS
Score

10^/10

pandastealer adware discovery persistence stealer spyware
- Panda Stealer payload
- PandaStealer
  Panda Stealer is a fork of CollectorProject Stealer written in C++.
  stealer pandastealer
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/StartMenu.dll
- Size
  
  7KB
- MD5
  
  a4173b381625f9f12aadb4e1cdaefdb8
- SHA1
  
  cf1680c2bc970d5675adbf5e89292a97e6724713
- SHA256
  
  7755ff2707ca19344d489a5acec02d9e310425fa6e100d2f13025761676b875b
- SHA512
  
  fcac79d42862da6bdd3ecad9d887a975cdff2301a8322f321be58f754a26b27077b452faa4751bbd09cd3371b4afce65255fbbb443e2c93dd2cba0ba652f4a82
- SSDEEP
  
  96:2fiqP7bO2qHkAC40KhvSE+6nrxtMn0iGd88qRLqtJ1tbRhElfRx2:siqP7OHX1Q4xtcf8qo/ttgfRx2
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $TEMP/setup.exe
- Size
  
  2.4MB
- MD5
  
  b774d568aaf090164ec32291370cb341
- SHA1
  
  f5a55bcd898ff2848df1bb067e5012951dfbc266
- SHA256
  
  56e96195f7c806eb74503977eb61fd681b99ac14fcdb9f852d89ee46b0edc5ef
- SHA512
  
  0ffe18d77b13e5a94be4575984982d4d583450821865821be9c7dcffcb2fb03a744b4ca530516ba8917eb2d130bf8767416259563ecefe511ccbf34254f52691
- SSDEEP
  
  49152:QT1/JEQtPdZoRTrfDgHGRvrDZg5aa1ChFpqKiv+9:QTRtfoNDvlZ8aa1CMKx
Score

10^/10

pandastealer discovery stealer
- Panda Stealer payload
- PandaStealer
  Panda Stealer is a fork of CollectorProject Stealer written in C++.
  stealer pandastealer
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral5 behavioral6
- Target
  
  $TEMP/sys.exe
- Size
  
  1.9MB
- MD5
  
  361afb77460382b303ff0feab78b65c7
- SHA1
  
  e3b44a60f2bb4998399252cc36d3e65dc80deef1
- SHA256
  
  2063d5933ad5f7789082e04d6209032c4f85ef495f06b9de3f41546f0fde6de8
- SHA512
  
  b81233d5d15884158ec99a64ecfd9239906d67bf149282f87e458718a9eb8ae71b8c00cbe5e6d289b48ab5ac0ff7d1f061bb1caff67d93dfcf9c1a387726615b
- SSDEEP
  
  49152:4alHayFPW9MgP6WaxFn6HIIGpTIqiqvspY9c:jFPW6gPxaFn6HIIsBPvspd
Score

7^/10

adware discovery spyware stealer
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
behavioral7 behavioral8
- Target
  
  $PLUGINSDIR/Math.dll
- Size
  
  66KB
- MD5
  
  b140459077c7c39be4bef249c2f84535
- SHA1
  
  c56498241c2ddafb01961596da16d08d1b11cd35
- SHA256
  
  0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67
- SHA512
  
  fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328
- SSDEEP
  
  1536:0P43WZ4Ql60gam+2MwRmPeqFVHbQH0ZZ1Iet:0wU609VMH0T/t
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  $PLUGINSDIR/Processes.dll
- Size
  
  35KB
- MD5
  
  2cfba79d485cf441c646dd40d82490fc
- SHA1
  
  83e51ac1115a50986ed456bd18729653018b9619
- SHA256
  
  86b302fa9c85dfa0c1c03ba000864a928365dab571f3355347dba02da22949b7
- SHA512
  
  cca186a7f9c5cff3f4eca410fbe8cc13dad2514a7e36aec9b1addfbcb239ace9b9b2d8427771858e3fd11783abce7e24d43c286f98da9f8b17562ca095a4c043
- SSDEEP
  
  768:uxEiycFoaj/+WSiJfmjvab7L/cUf7IIlMLRF:uxEm7sgfmjy//cgdlM/
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  c17103ae9072a06da581dec998343fc1
- SHA1
  
  b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
- SHA256
  
  dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
- SHA512
  
  d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
- SSDEEP
  
  192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  $PLUGINSDIR/UAC.dll
- Size
  
  17KB
- MD5
  
  88ad3fd90fc52ac3ee0441a38400a384
- SHA1
  
  08bc9e1f5951b54126b5c3c769e3eaed42f3d10b
- SHA256
  
  e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42
- SHA512
  
  359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb
- SSDEEP
  
  384:59TzaeW+WyB8c7LX+OGkrwWvVrkUiEMAWm5nskAvXkq:5ZaB+W62Mr5vGUiEum5sk
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  $R1
- Size
  
  2.5MB
- MD5
  
  81dd5db35b7311d7e86ad64bb21946c0
- SHA1
  
  936997fb386f9d482715dd5747cace7ce94fcdea
- SHA256
  
  0b87c091f55d456fcf375cfd93cdd4fac981537c53fe06bba20db4d37f624aa2
- SHA512
  
  014f93810a96d99b7b3710366acdd8c869c152940bcfd4b6764ec12a69dd36d874bcac544f62279dd35054cd21c99cdc90dd00c74153be23f5e39100f19958d7
- SSDEEP
  
  49152:2dAxOl1nCLGGFAdbKOzMMP0DIH8K6c346mTztFIFmxW1d:iAxyCLxIZl0DIH8K6citF
Score

6^/10

adware discovery stealer
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
behavioral17 behavioral18
- Target
  
  $TEMP/tcpsrvc.exe
- Size
  
  372KB
- MD5
  
  8c706a763e7622b72fe3222ec053d326
- SHA1
  
  2ee23255a22f1d42eefbc1fe88f4d82736e6c1b7
- SHA256
  
  79b06d3d76b61edfc0d3f48d0189e37ab2245ab169a06cf0aeb815576cdc7819
- SHA512
  
  21c36d1c470d71374e4da34cb9b589cb0f6105145509bb4d30187be4e219f34e0f96ed0cd6d1a25cc3e366474e918d5b99a9f5e2c25d610b8f1cf7dc4ba5cbc8
- SSDEEP
  
  6144:UzfXbLb6FgXVLFRHCt9sZ+2yrq4jKChDCD3C4wOmwIAhd2GBEfQhItk+/D0kNVTC:eHeFq/HCA4h1FWCFDA/2GcOYN5WZYgKc
Score

7^/10

adware discovery persistence stealer
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral19 behavioral20
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  c17103ae9072a06da581dec998343fc1
- SHA1
  
  b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
- SHA256
  
  dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
- SHA512
  
  d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
- SSDEEP
  
  192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  $SYSDIR/$SYSDIR/$_1_.exe
- Size
  
  52KB
- MD5
  
  f56dd8937e7790a77ed66cf939a98cef
- SHA1
  
  3f36412df3de2b669bcc5d698eb941477c52fba1
- SHA256
  
  752f5e5833cc5dd1f3d5f4b2a93aea034aaa254f4da432c85b6f5d387631b11c
- SHA512
  
  9ae4d54b54f10fd0da6c5ef3dfdff3a484887b2af3ec50a374cedca22cc36a2a9f45f850f9cc3cc623fbb23368dfdaf4692ac3c5dc16a1d547aec69f08e7bcea
- SSDEEP
  
  1536:UoLDYsacy7mHMowHjXJF5rcFqzN3bqTANJQwBEAr:UoPyys5jXJF5rxl2sHQw2Ar
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
behavioral23 behavioral24
- Target
  
  $PLUGINSDIR/InstallOptions.dll
- Size
  
  14KB
- MD5
  
  325b008aec81e5aaa57096f05d4212b5
- SHA1
  
  27a2d89747a20305b6518438eff5b9f57f7df5c3
- SHA256
  
  c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
- SHA512
  
  18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
- SSDEEP
  
  192:86d+dHXLHQOPiY53uiUdigyU+WsPdc/A1A+2jwK72dwF7dBEnbok:86UdHXcIiY535zBt2jw+BEnbo
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  c17103ae9072a06da581dec998343fc1
- SHA1
  
  b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
- SHA256
  
  dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
- SHA512
  
  d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
- SSDEEP
  
  192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  $SYSDIR/$_5_
- Size
  
  604KB
- MD5
  
  b8b303dbcda489ce392dd78b9c3088ae
- SHA1
  
  5fbb5dc212a26c8d995d9fc70aaed84972c81378
- SHA256
  
  6fc9b661c0be1f1c29943c41125ed6e883576f2714bc9c4738a1098850f5bbde
- SHA512
  
  551745e3bdf647fcf0c8e0b9d92cb691c0d011382c9867c0d575221cec5c669277d79467d751b37269c5e61d31a9485d9a21c5015db0663b4c9a3639ced96b03
- SSDEEP
  
  12288:bpFAxUbm+/1uMiaqGvBmNM2YOjYdE8MZV58A8+ic6Z8yv7:GUbm+d8adm21XSfZUc6ZX
Score

6^/10

adware discovery persistence stealer
- Adds Run key to start application
  persistence
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral29 behavioral30

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Panda Stealer payload

Drops file in Drivers directory

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Blocklisted process makes network request

Checks installed software on the system

Enumerates connected drives

Installs/modifies Browser Helper Object

Maps connected drives based on registry

Drops file in System32 directory

Panda Stealer payload

PandaStealer

Drops file in Drivers directory

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Blocklisted process makes network request

Checks installed software on the system

Enumerates connected drives

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in System32 directory

Installs/modifies Browser Helper Object

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Installs/modifies Browser Helper Object

Maps connected drives based on registry

Drops file in System32 directory

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Installs/modifies Browser Helper Object

Maps connected drives based on registry

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30