General
-
Target
1.0.154_chromesetup_154_59.exe
-
Size
8.4MB
-
Sample
241027-xeszhs1apb
-
MD5
e11e70ba243800626d17e3ffa6c9fb71
-
SHA1
5d2af9b1cf073963450b449177dab9eaac1585d7
-
SHA256
f0ffb4eb4baa73672a2390097d2a7fc1e2dd94a99f20992984ea408cacbd5c17
-
SHA512
06d0de74d1c4fbf47a1cbb878882fa330501e134649db3499d8d9a42ec3a7df8274b28aae3fa56ef9255c1daa219cf8e2795f84da7430ec959f19daa27491f91
-
SSDEEP
196608:uCBPqMsUrtT+q7uDZhZN3dujhwrT6C+CuQHrDj+Fo:nPqMLh6TZVdGhX+LDjx
Malware Config
Targets
-
-
Target
1.0.154_chromesetup_154_59.exe
-
Size
8.4MB
-
MD5
e11e70ba243800626d17e3ffa6c9fb71
-
SHA1
5d2af9b1cf073963450b449177dab9eaac1585d7
-
SHA256
f0ffb4eb4baa73672a2390097d2a7fc1e2dd94a99f20992984ea408cacbd5c17
-
SHA512
06d0de74d1c4fbf47a1cbb878882fa330501e134649db3499d8d9a42ec3a7df8274b28aae3fa56ef9255c1daa219cf8e2795f84da7430ec959f19daa27491f91
-
SSDEEP
196608:uCBPqMsUrtT+q7uDZhZN3dujhwrT6C+CuQHrDj+Fo:nPqMLh6TZVdGhX+LDjx
Score10/10-
Panda Stealer payload
-
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Pandastealer family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1