pandastealer | be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82

General

Target

be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe
Size

3.2MB
MD5

5256b4591f38e362966bf251ae756da0
SHA1

65c90a1a336dd3e1711aad8a7a4f763a14ac4eee
SHA256

be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82
SHA512

731b263ce7cc6fb94419d909cd207bcf346986f4dafc879766f5a7821b8f044bf76dc128dfee22b63f382f7f5627711a507faf8c2daf7d324e3c49250e9579c9
SSDEEP

98304:FV2NcsQ02VEnzsa9e0KugO2vdwSsKHqMvJ:FVicsz2V5gbgO2vdw1TQJ

Score

10^/10

Malware Config

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b91-4.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe

Executes dropped EXE 2 IoCs

pid	Process
1400	setup.exe
1460	setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 1400	4060	be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe	88
PID 4060 wrote to memory of 1400	4060	be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe	88
PID 4060 wrote to memory of 1400	4060	be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe	88
PID 1400 wrote to memory of 1460	1400	setup.exe	90
PID 1400 wrote to memory of 1460	1400	setup.exe	90
PID 1400 wrote to memory of 1460	1400	setup.exe	90

C:\Users\Admin\AppData\Local\Temp\be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe
"C:\Users\Admin\AppData\Local\Temp\be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\Temp\7zS789B.tmp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS789B.tmp\setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\is-MV2NJ.tmp\setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-MV2NJ.tmp\setup.tmp" /SL5="$60236,38217423,126976,C:\Users\Admin\AppData\Local\Temp\7zS789B.tmp\setup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS789B.tmp\setup.exe

Filesize
37.4MB

MD5
82f8e72006ca5cb716770d372931370c

SHA1
3ce41dede120a0e569cbcced815c08d5eb0bbd31

SHA256
9e89eeb3a5728cf7b588985a9f07d373b7f66a6c46bbacf5f77d6e0d871683ec

SHA512
867055d23a5b919b6fab35b437eab23a06229919567749683259688c226244867e1a1b6c0ef87cb171decdfdb73968456cc3173edd6742d1bb9034caef4038ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MV2NJ.tmp\setup.tmp

Filesize
742KB

MD5
b30a9d7ad8891e64d00801bf131a42e5

SHA1
5a6a9df99ec0dd52c1ca18a07f91844fb13af939

SHA256
abe5a742e7594b494f9a70dcc03731b47294ab12a9a2227f8d86582da0b75558

SHA512
62dd2d8ea04832390330a3743600b1abd675d460812a2fa503a564cee1e372afb664dc5dcaca939dba126570ff8cef5089bc9cb8bdcda03f408e4623d99b3384

Download Submit
memory/1400-25-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1400-15-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1400-12-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1460-30-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1460-26-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1460-28-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1460-24-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1460-32-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1460-34-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1460-36-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1460-38-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1460-40-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1460-42-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1460-44-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1460-46-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing