pandastealer | 2024-10-28_7b888b68c62a28789fcf2db37e45543c_mafia

Sharing

Copy URL

Twitter E-mail

General

Target

2024-10-28_7b888b68c62a28789fcf2db37e45543c_mafia
Size

4.6MB
MD5

7b888b68c62a28789fcf2db37e45543c
SHA1

2af49d607cd1bd6f475b76daa3fa1eea17ff8167
SHA256

3bca6bace9e41d163055a42e2006b83b911e501bebf0ba0c45768796040bf269
SHA512

70865bde5c10657362b92abfb64ee9414564385d6cd2c0b48862a46dc4822afecd7612b9c905d051b676a61206ba823bd478451c33a0cba0d6e43b5c4112bb70
SSDEEP

49152:3Rh538ZWomYWfblvl4GOo0sHFsFsCXJvFASC5sSCPIKnzeVpXUKiIKL5+L5jcmTl:h4mYeblvnOdo2bBSCPI1yKij+L2ONJ

Score

10^/10

pandastealer

Malware Config

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
sample	family_pandastealer

Pandastealer family
pandastealer

Files

2024-10-28_7b888b68c62a28789fcf2db37e45543c_mafia
.exe windows:5 windows x86 arch:x86

a0b529a61b089e47f98a7fda1ec2bc9f

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21-12-2012 00:00

Not After

30-12-2020 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18-10-2012 00:00

Not After

29-12-2020 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

33:a6:a2:62:6f:72:48:24:5f:3a:61:5a:8c:e7:da:de
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

04-07-2014 00:00

Not After

01-08-2016 23:59

Subject

CN=Beijing Funshion Online Technologies Ltd.,OU=SECURE APPLICATION DEVELOPMENT,O=Beijing Funshion Online Technologies Ltd.,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageDigitalSignature

61:39:d0:3a:72:c3:c3:0f:2d:0d:77:b6:99:9a:cc:a4:13:da:75:62
Signer

Actual PE Digest

61:39:d0:3a:72:c3:c3:0f:2d:0d:77:b6:99:9a:cc:a4:13:da:75:62

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

I:\build3.0.3\Funshion\Rel\bin\Release\Funshion.pdb

Imports

dbghelp

MiniDumpWriteDump

shlwapi

PathFileExistsW
PathRemoveFileSpecW
SHDeleteValueW
SHGetValueW
SHDeleteKeyW
SHSetValueW
StrStrIW
PathFindFileNameW
PathRemoveExtensionW
PathAddExtensionW
StrCpyW
PathFindExtensionW
StrCmpIW
PathAppendW
PathIsRootW
StrFormatByteSizeW

ws2_32

gethostbyname
inet_ntoa
gethostname
ntohs
send
closesocket
ntohl
socket
recv
htons
select
connect
__WSAFDIsSet
getservbyname
WSAGetLastError
freeaddrinfo
getaddrinfo
getnameinfo
WSAStartup
WSACleanup
accept
bind
listen
shutdown
sendto
recvfrom
getsockname
getpeername
setsockopt
getsockopt
ioctlsocket
inet_addr

wininet

FindCloseUrlCache
FindFirstUrlCacheEntryW
InternetGetCookieExW
InternetOpenA
InternetGetConnectedState
HttpQueryInfoW
InternetSetOptionA
InternetReadFile
InternetOpenUrlW
HttpQueryInfoA
FindNextUrlCacheEntryW
DeleteUrlCacheEntryW
InternetSetCookieW
InternetCloseHandle

iphlpapi

GetIfEntry
GetBestInterface
GetAdaptersInfo

psapi

GetModuleFileNameExW

winmm

waveOutSetVolume
timeGetTime
mixerGetLineControlsW
mixerOpen
mixerGetLineInfoW
mixerClose
waveOutGetVolume
mixerGetControlDetailsW

rpcrt4

UuidCreate
UuidToStringW

dsound

ord3

kernel32

ExitProcess
FindResourceExW
FindResourceW
FreeLibrary
LoadResource
LoadLibraryExW
InterlockedIncrement
InterlockedDecrement
GetCurrentProcess
CreateDirectoryW
GlobalLock
GetModuleHandleW
GlobalAlloc
InitializeCriticalSectionAndSpinCount
SizeofResource
LeaveCriticalSection
MulDiv
GetModuleFileNameW
lstrcmpW
MultiByteToWideChar
lstrlenW
GlobalUnlock
FlushInstructionCache
RaiseException
GetLastError
SetLastError
GetProcAddress
EnterCriticalSection
LockResource
CreateEventW
lstrcmpiW
DeleteCriticalSection
GetCurrentThreadId
CloseHandle
SetFileAttributesW
GetFileSize
InterlockedCompareExchange
ReadFile
CreateFileW
GlobalFree
lstrlenA
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileIntW
GetCurrentDirectoryW
LoadLibraryW
OutputDebugStringA
FindFirstFileW
GetDriveTypeA
GetSystemDirectoryW
GetVersionExW
GetLogicalDriveStringsA
FindClose
Process32FirstW
GlobalMemoryStatusEx
RemoveDirectoryW
GetDiskFreeSpaceA
GetSystemInfo
Process32NextW
GetModuleHandleA
FindNextFileW
CreateToolhelp32Snapshot
GetDiskFreeSpaceExW
DeleteFileW
OutputDebugStringW
WideCharToMultiByte
CreateProcessW
SetUnhandledExceptionFilter
GetCurrentProcessId
CreateThread
WriteFile
GetFileAttributesW
TryEnterCriticalSection
InitializeCriticalSection
SetInformationJobObject
CreateJobObjectW
GetTickCount
AssignProcessToJobObject
OpenJobObjectW
ConnectNamedPipe
GetOverlappedResult
GetLocalTime
WaitForSingleObject
SetEvent
TerminateThread
FileTimeToSystemTime
FileTimeToLocalFileTime
lstrcpyW
InterlockedExchange
SetThreadExecutionState
CopyFileW
CreateFileA
HeapAlloc
HeapFree
GetProcessHeap
DeviceIoControl
OpenProcess
TerminateProcess
ResetEvent
WaitForMultipleObjects
IsBadReadPtr
GetDriveTypeW
GetLogicalDrives
GlobalHandle
MoveFileW
lstrcpynW
CreateEventA
VirtualProtect
GetSystemTimeAsFileTime
LoadLibraryA
ExpandEnvironmentStringsW
FlushFileBuffers
SetHandleInformation
GetStartupInfoW
GetStdHandle
CreatePipe
GlobalReAlloc
GetFileAttributesA
GetFileAttributesExW
DeleteFileA
GetFullPathNameW
GetFullPathNameA
SetFilePointer
SetEndOfFile
QueryPerformanceCounter
UnlockFile
LockFile
FormatMessageA
GetTempPathW
LockFileEx
GetTempPathA
GetSystemTime
AreFileApisANSI
CompareStringW
HeapCreate
GetTimeZoneInformation
IsValidLocale
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetACP
GetOEMCP
IsValidCodePage
GetConsoleCP
GetConsoleMode
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
LCMapStringW
GetCPInfo
CreateNamedPipeW
SetStdHandle
WriteConsoleW
SetEnvironmentVariableA
OpenEventA
ResumeThread
SystemTimeToFileTime
SetWaitableTimer
CreateWaitableTimerA
InterlockedPushEntrySList
LocalFileTimeToFileTime
IsDebuggerPresent
UnhandledExceptionFilter
ExitThread
GetDateFormatW
GetTimeFormatW
GetDateFormatA
GetTimeFormatA
RtlUnwind
HeapSetInformation
GetCommandLineW
GetComputerNameW
GetVersionExA
SetEnvironmentVariableW
GetEnvironmentVariableW
GetLogicalDriveStringsW
GetLongPathNameW
SetFileTime
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
CreateFileMappingW
ReleaseMutex
CreateMutexW
LocalFree
GetLocaleInfoW
DecodePointer
EncodePointer
GetStringTypeW
HeapSize
HeapReAlloc
HeapDestroy
InterlockedPopEntrySList
VirtualAlloc
VirtualFree
IsProcessorFeaturePresent
Sleep

user32

EnableWindow
PostThreadMessageW
GetWindowRect
ShowCursor
GetSystemMetrics
wsprintfW
SetTimer
KillTimer
SetRect
IsWindowVisible
DrawTextW
ShowWindow
EndPaint
ClientToScreen
DestroyWindow
GetWindowTextLengthW
DestroyAcceleratorTable
ScreenToClient
GetMessageW
CharNextW
RegisterWindowMessageW
FillRect
IsChild
GetFocus
GetParent
InvalidateRgn
LoadCursorW
FindWindowW
GetClientRect
CreateAcceleratorTableW
SetFocus
BeginPaint
GetClassInfoExW
GetDC
MapDialogRect
EnableMenuItem
SetWindowContextHelpId
SendDlgItemMessageW
CreateDialogIndirectParamW
DialogBoxParamW
EndDialog
GetMenuItemID
GetMenuItemCount
CloseClipboard
EmptyClipboard
GetSysColorBrush
OpenClipboard
SetClipboardData
IntersectRect
DisableProcessWindowsGhosting
EqualRect
AppendMenuW
SetRectEmpty
RegisterClassW
TranslateMessage
RegisterClassExW
InvalidateRect
GetWindowLongW
GetCursorPos
PeekMessageW
GetClassNameW
ReleaseDC
GetDlgItem
SetWindowLongW
RedrawWindow
GetDesktopWindow
GetSysColor
SetWindowPos
IsWindow
CreateWindowExW
MessageBoxW
ReleaseCapture
SendMessageW
IsRectEmpty
SetCursor
GetCapture
BringWindowToTop
GetKeyState
UnregisterHotKey
RegisterHotKey
UpdateLayeredWindow
GetWindowDC
UpdateWindow
EnumDisplayMonitors
GetMonitorInfoW
CopyRect
MonitorFromRect
OffsetRect
SetWindowTextW
CallWindowProcW
DefWindowProcW
GetWindow
MapWindowPoints
LoadImageW
RegisterDeviceNotificationW
MoveWindow
DispatchMessageW
GetWindowThreadProcessId
SetWindowRgn
PtInRect
InflateRect
SystemParametersInfoW
UnregisterClassA
DestroyIcon
GetDlgCtrlID
GetActiveWindow
MonitorFromWindow
ExitWindowsEx
TrackPopupMenu
GetSubMenu
ModifyMenuW
CheckMenuRadioItem
LoadMenuW
IsWindowEnabled
SetForegroundWindow
IsZoomed
PostMessageW
IsIconic
SetActiveWindow
PostQuitMessage
CreateDialogParamW
SetLayeredWindowAttributes
SendMessageA
CheckMenuItem
DestroyMenu
RemoveMenu
wsprintfA
wvsprintfA
CreateDesktopW
GetTopWindow
WindowFromPoint
GetWindowTextW
GetForegroundWindow
SetCapture

gdi32

SelectClipRgn
CreateRectRgn
GetClipBox
ExtSelectClipRgn
GetTextColor
CreateFontW
CombineRgn
SetPixel
Rectangle
DPtoLP
RoundRect
SaveDC
RestoreDC
MoveToEx
LineTo
CreatePen
CreateFontIndirectW
ExtTextOutW
CreateRoundRectRgn
GetTextExtentPoint32W
SetTextColor
CreateDIBSection
SetBkColor
SetBkMode
BitBlt
DeleteDC
GetDeviceCaps
DeleteObject
SelectObject
CreateCompatibleDC
CreateCompatibleBitmap
GetObjectW
CreateSolidBrush
GetStockObject
CreateRectRgnIndirect

advapi32

RegQueryValueExW
RegCreateKeyExW
RegQueryInfoKeyW
InitializeSecurityDescriptor
RegDeleteKeyW
SetSecurityDescriptorDacl
RegDeleteValueW
IsTextUnicode
RegOpenKeyExA
RegOpenKeyW
RegQueryValueExA
RegEnumKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegOpenKeyExW
RegSetValueExW
RegCloseKey
RegEnumKeyExW

shell32

SHGetSpecialFolderPathW
SHGetMalloc
SHBrowseForFolderW
ord2
ord4
SHGetPathFromIDListW
SHGetDesktopFolder
DragQueryFileW
Shell_NotifyIconW
SHChangeNotify
ShellExecuteExW
ord165
SHCreateDirectoryExW
ShellExecuteW
SHFileOperationW

ole32

CoTaskMemFree
CoGetClassObject
CoSetProxyBlanket
CoUninitialize
OleUninitialize
CreateStreamOnHGlobal
StgCreateDocfile
OleCreate
OleInitialize
CoInitialize
StringFromGUID2
CLSIDFromString
OleSetContainedObject
OleDraw
CLSIDFromProgID
CoTaskMemRealloc
OleLockRunning
CoCreateGuid
CoCreateInstance
CoTaskMemAlloc

oleaut32

GetErrorInfo
VariantClear
LoadTypeLi
VariantInit
SysAllocStringLen
SysStringLen
SysAllocString
DispCallFunc
SysStringByteLen
SysAllocStringByteLen
OleLoadPicture
LoadRegTypeLi
SysFreeString
VarUI4FromStr
OleCreateFontIndirect

comctl32

_TrackMouseEvent
ImageList_Create
InitCommonControlsEx

msimg32

AlphaBlend
GradientFill
TransparentBlt

urlmon

UrlMkGetSessionOption
CoInternetSetFeatureEnabled

gdiplus

GdipDrawLineI
GdipCreateFromHDC
GdipDeleteGraphics
GdipDeletePen
GdipCreatePen1

winhttp

WinHttpSendRequest
WinHttpSetTimeouts
WinHttpReceiveResponse
WinHttpConnect
WinHttpCloseHandle
WinHttpOpenRequest
WinHttpCrackUrl
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpSetStatusCallback
WinHttpQueryHeaders
WinHttpOpen

imagehlp

ImageGetCertificateData
ImageGetCertificateHeader

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

comdlg32

GetSaveFileNameW
GetOpenFileNameW

wintrust

WinVerifyTrust

crypt32

CryptVerifyMessageSignature

Sections

.text
Size: 3.0MB - Virtual size: 3.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 585KB - Virtual size: 585KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 103KB - Virtual size: 131KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 763KB - Virtual size: 763KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 178KB - Virtual size: 178KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a0b529a61b089e47f98a7fda1ec2bc9f

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5eCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

33:a6:a2:62:6f:72:48:24:5f:3a:61:5a:8c:e7:da:deCertificate

Extended Key Usages

Key Usages

61:39:d0:3a:72:c3:c3:0f:2d:0d:77:b6:99:9a:cc:a4:13:da:75:62Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

dbghelp

shlwapi

ws2_32

wininet

iphlpapi

psapi

winmm

rpcrt4

dsound

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

comctl32

msimg32

urlmon

gdiplus

winhttp

imagehlp

version

comdlg32

wintrust

crypt32

Sections

.text Size: 3.0MB - Virtual size: 3.0MB

.rdata Size: 585KB - Virtual size: 585KB

.data Size: 103KB - Virtual size: 131KB

.tls Size: 512B - Virtual size: 2B

.rsrc Size: 763KB - Virtual size: 763KB

.reloc Size: 178KB - Virtual size: 178KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

33:a6:a2:62:6f:72:48:24:5f:3a:61:5a:8c:e7:da:de
Certificate

61:39:d0:3a:72:c3:c3:0f:2d:0d:77:b6:99:9a:cc:a4:13:da:75:62
Signer

.text
Size: 3.0MB - Virtual size: 3.0MB

.rdata
Size: 585KB - Virtual size: 585KB

.data
Size: 103KB - Virtual size: 131KB

.tls
Size: 512B - Virtual size: 2B

.rsrc
Size: 763KB - Virtual size: 763KB

.reloc
Size: 178KB - Virtual size: 178KB