pandastealer | 2024-10-12_a2223164f89eed700871205492790012_mafia

Sharing

Copy URL

Twitter E-mail

General

Target

2024-10-12_a2223164f89eed700871205492790012_mafia
Size

4.6MB
MD5

a2223164f89eed700871205492790012
SHA1

20c08b5fcaf9e73989cb98e4d40680d17a9afceb
SHA256

782b83406af76384008fc68de5377730056fa457f7177b8cb855d7685ff0c237
SHA512

ddad5b7ed67366e9d5060ef38de5fa374929d79169b3306722e3c82d1abf08ade29836eeb0b9ce1798b495fa5d32fcee261dc15c649d84f316dd962d57e62e37
SSDEEP

49152:OVFvmdvFRrtDo7UvbW/0hxL57tdTVGZ8B1X3BAiz81XYiZsyrOiTQY/YES2t2pvY:EYvFRJDst4fTVxZ81Fsyr0vY

Score

10^/10

pandastealer

Malware Config

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
sample	family_pandastealer

Pandastealer family
pandastealer

Files

2024-10-12_a2223164f89eed700871205492790012_mafia
.exe windows:5 windows x86 arch:x86

bb9e4dc5f631b1b7d5d78c16eccb82ef

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21-12-2012 00:00

Not After

30-12-2020 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18-10-2012 00:00

Not After

29-12-2020 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

33:a6:a2:62:6f:72:48:24:5f:3a:61:5a:8c:e7:da:de
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

04-07-2014 00:00

Not After

01-08-2016 23:59

Subject

CN=Beijing Funshion Online Technologies Ltd.,OU=SECURE APPLICATION DEVELOPMENT,O=Beijing Funshion Online Technologies Ltd.,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageDigitalSignature

fc:85:f0:9a:a4:8e:8d:4a:ec:d5:df:8e:e7:22:7d:65:54:42:9c:0a
Signer

Actual PE Digest

fc:85:f0:9a:a4:8e:8d:4a:ec:d5:df:8e:e7:22:7d:65:54:42:9c:0a

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

I:\build3.0.3\Funshion\Rel\bin\Release\Funshion.pdb

Imports

dbghelp

MiniDumpWriteDump

shlwapi

StrFormatByteSizeW
PathIsRootW
PathAppendW
StrCmpIW
PathFindExtensionW
StrCpyW
PathAddExtensionW
PathRemoveExtensionW
PathFindFileNameW
StrStrIW
SHSetValueW
SHDeleteKeyW
SHGetValueW
SHDeleteValueW
PathRemoveFileSpecW
PathFileExistsW

ws2_32

gethostbyname
inet_ntoa
gethostname
ntohs
send
closesocket
ntohl
socket
recv
htons
select
connect
__WSAFDIsSet
getservbyname
WSAGetLastError
freeaddrinfo
getaddrinfo
getnameinfo
WSAStartup
WSACleanup
accept
bind
listen
shutdown
sendto
recvfrom
getsockname
getpeername
setsockopt
getsockopt
ioctlsocket
inet_addr

wininet

InternetGetCookieExW
InternetGetConnectedState
HttpQueryInfoW
InternetSetOptionA
InternetReadFile
InternetOpenUrlW
HttpQueryInfoA
InternetSetCookieW
InternetCloseHandle
InternetOpenA

iphlpapi

GetIfEntry
GetBestInterface
GetAdaptersInfo

psapi

GetModuleFileNameExW

winmm

waveOutSetVolume
timeGetTime
mixerGetLineControlsW
mixerOpen
mixerGetControlDetailsW
mixerClose
waveOutGetVolume
mixerGetLineInfoW

rpcrt4

UuidCreate
UuidToStringW

dsound

ord3

kernel32

ExitProcess
FindResourceExW
FindResourceW
FreeLibrary
LoadResource
LoadLibraryExW
InterlockedIncrement
InterlockedDecrement
GetCurrentProcess
CreateDirectoryW
GlobalLock
GetModuleHandleW
GlobalAlloc
InitializeCriticalSectionAndSpinCount
SizeofResource
LeaveCriticalSection
MulDiv
GetModuleFileNameW
lstrcmpW
MultiByteToWideChar
lstrlenW
GlobalUnlock
FlushInstructionCache
RaiseException
GetLastError
SetLastError
GetProcAddress
EnterCriticalSection
LockResource
CreateEventW
lstrcmpiW
DeleteCriticalSection
GetCurrentThreadId
CloseHandle
SetFileAttributesW
GetFileSize
InterlockedCompareExchange
ReadFile
CreateFileW
GlobalFree
lstrlenA
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileIntW
GetCurrentDirectoryW
LoadLibraryW
OutputDebugStringA
FindFirstFileW
GetDriveTypeA
GetSystemDirectoryW
GetVersionExW
GetLogicalDriveStringsA
FindClose
Process32FirstW
GlobalMemoryStatusEx
RemoveDirectoryW
GetDiskFreeSpaceA
GetSystemInfo
Process32NextW
GetModuleHandleA
FindNextFileW
CreateToolhelp32Snapshot
GetDiskFreeSpaceExW
DeleteFileW
OutputDebugStringW
WideCharToMultiByte
CreateProcessW
SetUnhandledExceptionFilter
GetCurrentProcessId
CreateThread
WriteFile
GetFileAttributesW
TryEnterCriticalSection
InitializeCriticalSection
SetInformationJobObject
CreateJobObjectW
GetTickCount
AssignProcessToJobObject
OpenJobObjectW
CreateNamedPipeW
GetOverlappedResult
GetLocalTime
WaitForSingleObject
SetEvent
TerminateThread
FileTimeToSystemTime
FileTimeToLocalFileTime
lstrcpyW
InterlockedExchange
SetThreadExecutionState
CopyFileW
CreateFileA
HeapAlloc
HeapFree
GetProcessHeap
DeviceIoControl
OpenProcess
TerminateProcess
ResetEvent
WaitForMultipleObjects
IsBadReadPtr
GlobalHandle
MoveFileW
lstrcpynW
CreateEventA
VirtualProtect
GetSystemTimeAsFileTime
LoadLibraryA
ExpandEnvironmentStringsW
FlushFileBuffers
SetHandleInformation
GetStartupInfoW
GetStdHandle
CreatePipe
GlobalReAlloc
GetFileAttributesA
GetFileAttributesExW
DeleteFileA
GetFullPathNameW
GetFullPathNameA
SetFilePointer
SetEndOfFile
QueryPerformanceCounter
UnlockFile
LockFile
FormatMessageA
GetTempPathW
LockFileEx
GetTempPathA
GetSystemTime
AreFileApisANSI
LCMapStringW
CompareStringW
HeapCreate
GetTimeZoneInformation
IsValidLocale
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetACP
GetOEMCP
IsValidCodePage
GetConsoleCP
GetConsoleMode
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
GetCPInfo
ConnectNamedPipe
SetStdHandle
WriteConsoleW
SetEnvironmentVariableA
OpenEventA
ResumeThread
SystemTimeToFileTime
SetWaitableTimer
CreateWaitableTimerA
InterlockedPushEntrySList
LocalFileTimeToFileTime
IsDebuggerPresent
UnhandledExceptionFilter
ExitThread
GetDateFormatW
GetTimeFormatW
GetDateFormatA
GetTimeFormatA
RtlUnwind
HeapSetInformation
GetCommandLineW
GetComputerNameW
GetVersionExA
SetEnvironmentVariableW
GetEnvironmentVariableW
GetLogicalDriveStringsW
GetLongPathNameW
SetFileTime
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
CreateFileMappingW
ReleaseMutex
CreateMutexW
LocalFree
GetLocaleInfoW
DecodePointer
EncodePointer
GetStringTypeW
HeapSize
HeapReAlloc
HeapDestroy
InterlockedPopEntrySList
VirtualAlloc
VirtualFree
IsProcessorFeaturePresent
Sleep

user32

PostThreadMessageW
GetWindowRect
ShowCursor
GetSystemMetrics
wsprintfW
SetTimer
KillTimer
SetRect
IsWindowVisible
DrawTextW
ShowWindow
EndPaint
ClientToScreen
DestroyWindow
GetWindowTextLengthW
DestroyAcceleratorTable
ScreenToClient
GetMessageW
CharNextW
RegisterWindowMessageW
FillRect
SetCapture
GetFocus
GetParent
InvalidateRgn
LoadCursorW
FindWindowW
GetClientRect
CreateAcceleratorTableW
SetFocus
BeginPaint
GetClassInfoExW
GetCursorPos
SetForegroundWindow
IsZoomed
IsIconic
SetActiveWindow
PostMessageW
PostQuitMessage
CreateDialogParamW
SetLayeredWindowAttributes
SendMessageA
CheckMenuItem
DestroyMenu
RemoveMenu
EnableMenuItem
LoadMenuW
CheckMenuRadioItem
wsprintfA
GetDC
TranslateMessage
RegisterClassExW
InvalidateRect
GetWindowLongW
GetWindowTextW
PeekMessageW
GetClassNameW
ReleaseDC
GetDlgItem
SetWindowLongW
RedrawWindow
GetDesktopWindow
GetSysColor
SetWindowPos
IsWindow
CreateWindowExW
MessageBoxW
ReleaseCapture
wvsprintfA
CreateDesktopW
RegisterClassW
GetTopWindow
WindowFromPoint
GetForegroundWindow
MapDialogRect
SetWindowContextHelpId
SendDlgItemMessageW
CreateDialogIndirectParamW
DialogBoxParamW
EndDialog
GetMenuItemID
GetMenuItemCount
SendMessageW
SetWindowTextW
CallWindowProcW
DefWindowProcW
CloseClipboard
EmptyClipboard
GetSysColorBrush
GetWindow
MoveWindow
DispatchMessageW
OpenClipboard
SetClipboardData
IntersectRect
DisableProcessWindowsGhosting
EqualRect
UnregisterClassA
DestroyIcon
GetDlgCtrlID
GetActiveWindow
MonitorFromWindow
ExitWindowsEx
AppendMenuW
IsRectEmpty
SetRectEmpty
SetCursor
GetCapture
BringWindowToTop
GetKeyState
UnregisterHotKey
RegisterHotKey
UpdateLayeredWindow
GetWindowDC
UpdateWindow
EnumDisplayMonitors
GetMonitorInfoW
CopyRect
MonitorFromRect
OffsetRect
MapWindowPoints
LoadImageW
RegisterDeviceNotificationW
GetWindowThreadProcessId
SetWindowRgn
PtInRect
InflateRect
SystemParametersInfoW
EnableWindow
TrackPopupMenu
GetSubMenu
ModifyMenuW
IsChild

gdi32

SelectClipRgn
CreateRectRgn
GetClipBox
ExtSelectClipRgn
GetTextColor
CreateFontW
CombineRgn
SetPixel
Rectangle
DPtoLP
RoundRect
MoveToEx
LineTo
CreatePen
SaveDC
RestoreDC
CreateFontIndirectW
ExtTextOutW
CreateRoundRectRgn
GetTextExtentPoint32W
SetTextColor
CreateDIBSection
SetBkColor
SetBkMode
BitBlt
DeleteDC
GetDeviceCaps
DeleteObject
SelectObject
CreateCompatibleDC
CreateCompatibleBitmap
GetObjectW
CreateSolidBrush
GetStockObject
CreateRectRgnIndirect

advapi32

RegQueryValueExW
RegCreateKeyExW
RegQueryInfoKeyW
InitializeSecurityDescriptor
RegDeleteKeyW
SetSecurityDescriptorDacl
RegDeleteValueW
IsTextUnicode
RegOpenKeyExA
RegOpenKeyW
RegQueryValueExA
RegEnumKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegOpenKeyExW
RegSetValueExW
RegCloseKey
RegEnumKeyExW

shell32

SHBrowseForFolderW
SHGetMalloc
ord2
ord4
ShellExecuteW
SHGetPathFromIDListW
SHGetDesktopFolder
DragQueryFileW
Shell_NotifyIconW
SHChangeNotify
ShellExecuteExW
ord165
SHCreateDirectoryExW
SHGetSpecialFolderPathW
SHFileOperationW

ole32

CoTaskMemFree
CoTaskMemAlloc
CoSetProxyBlanket
CoUninitialize
CoInitialize
OleUninitialize
StgCreateDocfile
OleCreate
OleInitialize
StringFromGUID2
CreateStreamOnHGlobal
OleSetContainedObject
OleDraw
CLSIDFromString
CLSIDFromProgID
CoTaskMemRealloc
OleLockRunning
CoCreateGuid
CoCreateInstance
CoGetClassObject

oleaut32

LoadRegTypeLi
OleLoadPicture
SysAllocStringByteLen
SysStringByteLen
DispCallFunc
VarUI4FromStr
OleCreateFontIndirect
GetErrorInfo
VariantInit
LoadTypeLi
VariantClear
SysAllocString
SysStringLen
SysFreeString
SysAllocStringLen

comctl32

_TrackMouseEvent
ImageList_Create
InitCommonControlsEx

msimg32

AlphaBlend
TransparentBlt
GradientFill

urlmon

UrlMkGetSessionOption

gdiplus

GdipCreatePen1
GdipDrawLineI
GdipCreateFromHDC
GdipDeleteGraphics
GdipDeletePen

winhttp

WinHttpReceiveResponse
WinHttpSetTimeouts
WinHttpSendRequest
WinHttpConnect
WinHttpCloseHandle
WinHttpOpenRequest
WinHttpCrackUrl
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpSetStatusCallback
WinHttpQueryHeaders
WinHttpOpen

imagehlp

ImageGetCertificateHeader
ImageGetCertificateData

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

comdlg32

GetSaveFileNameW
GetOpenFileNameW

wintrust

WinVerifyTrust

crypt32

CryptVerifyMessageSignature

Sections

.text
Size: 3.0MB - Virtual size: 3.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 573KB - Virtual size: 573KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 103KB - Virtual size: 130KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 763KB - Virtual size: 762KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 175KB - Virtual size: 174KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

bb9e4dc5f631b1b7d5d78c16eccb82ef

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5eCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

33:a6:a2:62:6f:72:48:24:5f:3a:61:5a:8c:e7:da:deCertificate

Extended Key Usages

Key Usages

fc:85:f0:9a:a4:8e:8d:4a:ec:d5:df:8e:e7:22:7d:65:54:42:9c:0aSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

dbghelp

shlwapi

ws2_32

wininet

iphlpapi

psapi

winmm

rpcrt4

dsound

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

comctl32

msimg32

urlmon

gdiplus

winhttp

imagehlp

version

comdlg32

wintrust

crypt32

Sections

.text Size: 3.0MB - Virtual size: 3.0MB

.rdata Size: 573KB - Virtual size: 573KB

.data Size: 103KB - Virtual size: 130KB

.tls Size: 512B - Virtual size: 2B

.rsrc Size: 763KB - Virtual size: 762KB

.reloc Size: 175KB - Virtual size: 174KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

33:a6:a2:62:6f:72:48:24:5f:3a:61:5a:8c:e7:da:de
Certificate

fc:85:f0:9a:a4:8e:8d:4a:ec:d5:df:8e:e7:22:7d:65:54:42:9c:0a
Signer

.text
Size: 3.0MB - Virtual size: 3.0MB

.rdata
Size: 573KB - Virtual size: 573KB

.data
Size: 103KB - Virtual size: 130KB

.tls
Size: 512B - Virtual size: 2B

.rsrc
Size: 763KB - Virtual size: 762KB

.reloc
Size: 175KB - Virtual size: 174KB