pandastealer | 8bd05c7e27e65b921ae28194857ff2769f249dd942342a70ff0878e678a3ed22

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
21/02/2025, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/v9fft.exe
Size

1.7MB
MD5

1d05817fe02a8f9c077d2429c7cfdcf6
SHA1

eb0acb51721e9a5ecad7b686d301e784824344bd
SHA256

95fb369cba9b5d35630e253253cd62762440125243329adc1f3c267d56ba499e
SHA512

9bed5e93767cad1c4088b8c7180d61973a6c8b8353d0f59717689903affa88e353ffaf4fc5eda5903f2272a98dce69da252db8064c28176a7e704ea22f459e95
SSDEEP

24576:3F19ad/7Dz78CTrDMJdZCSmwdxY2MaugVXyDANT4KoRFoRfMdM+i6Vp1kT:lADzgCTqZCRyxpXesdGPVzkT

Score

10^/10

pandastealer bootkit discovery persistence stealer upx

Malware Config

Signatures

Panda Stealer payload 4 IoCs

resource	yara_rule
behavioral27/memory/1676-12-0x0000000001020000-0x000000000127D000-memory.dmp	family_pandastealer
behavioral27/memory/1676-14-0x0000000001020000-0x000000000127D000-memory.dmp	family_pandastealer
behavioral27/memory/1676-16-0x0000000001020000-0x000000000127D000-memory.dmp	family_pandastealer
behavioral27/memory/1676-18-0x0000000001020000-0x000000000127D000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer

Executes dropped EXE 1 IoCs

pid	Process
1676	v9ht.exe

Loads dropped DLL 1 IoCs

pid	Process
1068	v9fft.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	v9fft.exe
File opened for modification	\??\PhysicalDrive0	v9ht.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral27/files/0x000400000001d9b4-3.dat	upx
behavioral27/memory/1068-7-0x0000000002290000-0x00000000024ED000-memory.dmp	upx
behavioral27/memory/1676-8-0x0000000001020000-0x000000000127D000-memory.dmp	upx
behavioral27/memory/1676-12-0x0000000001020000-0x000000000127D000-memory.dmp	upx
behavioral27/memory/1676-14-0x0000000001020000-0x000000000127D000-memory.dmp	upx
behavioral27/memory/1676-16-0x0000000001020000-0x000000000127D000-memory.dmp	upx
behavioral27/memory/1676-18-0x0000000001020000-0x000000000127D000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\User Data\Default\Preferences	v9ht.exe
File opened for modification	C:\Program Files\Google\Chrome\User Data\Default\Web Data	v9ht.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v9fft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v9ht.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}\URL = "http://search.v9.com/web/?q={searchTerms}"	v9ht.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"	v9ht.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.v9.com/?utm_source=b&utm_medium=fft-1&from=fft-1&uid=WDC_WDS100T2B0A_232138804165&ts=1740168997"	v9ht.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.v9.com/?utm_source=b&utm_medium=fft-1&from=fft-1&uid=WDC_WDS100T2B0A_232138804165&ts=1740168997"	v9ht.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://search.v9.com/web/?q={searchTerms}"	v9ht.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}	v9ht.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}\DisplayName = "v9"	v9ht.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.v9.com/?utm_source=b&utm_medium=fft-1&from=fft-1&uid=WDC_WDS100T2B0A_232138804165&ts=1740168997"	v9ht.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.v9.com/?utm_source=b&utm_medium=fft-1&from=fft-1&uid=WDC_WDS100T2B0A_232138804165&ts=1740168997"	v9ht.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	v9ht.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1676	v9ht.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 1676	1068	v9fft.exe	28
PID 1068 wrote to memory of 1676	1068	v9fft.exe	28
PID 1068 wrote to memory of 1676	1068	v9fft.exe	28
PID 1068 wrote to memory of 1676	1068	v9fft.exe	28
PID 1068 wrote to memory of 2780	1068	v9fft.exe	31
PID 1068 wrote to memory of 2780	1068	v9fft.exe	31
PID 1068 wrote to memory of 2780	1068	v9fft.exe	31
PID 1068 wrote to memory of 2780	1068	v9fft.exe	31

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\v9fft.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\v9fft.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe
  C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe -oem=fft-1 -app=v9hp -flag=3 -nation=br
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\hfblddeldir.bat (null)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9db.con

Filesize
796B

MD5
d433bf2db653914940087e78843cb804

SHA1
c44f14019efc5d7eb4758eab7e7bd59d7030d09e

SHA256
5fba963865f304dfab162007531ac172183124774ebe05ae3897c59c84be579f

SHA512
fe67349d30b18594c219cb8fa3c938b1d2cadabd6d4ce23402f55c8f32bc067639297d729f62333e615311184d8e63f55867e43fe354f19540604eda09f8866f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfblddeldir.bat

Filesize
124B

MD5
253c6de75a58b886dcff8e928b1c874c

SHA1
3a268b6ae30025368b044e2c9c77fbb45273e276

SHA256
b273345ac98c356321209a94dc905ebc7994069addc65f373924db97b5be45f3

SHA512
bcaac00a98c272ed6f0fc24518659128b3c808d2939ec23d5f42a22ca0db28c4ea5bc287386e8e4e10b138ac4689e1361afc3563271304ec1119458bc3c313f7

Download Submit
\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe

Filesize
922KB

MD5
9a2f642a99c19b2d7ee60109c7de1b81

SHA1
8543ffe5e79516d110526fd305dbeacf04b041cb

SHA256
c07330c686767287b1d490f5c44d2b0265790860b32f1889d16d60c06d15f111

SHA512
1a0eeea8f17d19e81bd331ce324361520339fe75d6110e664fffe7fa654a4f091bb0377e9344f90310e4c85ca37c1dc01022e18d95aee72f60c204bb38099241

Download Submit
memory/1068-7-0x0000000002290000-0x00000000024ED000-memory.dmp

Filesize
2.4MB

Download
memory/1068-10-0x0000000002290000-0x00000000024ED000-memory.dmp

Filesize
2.4MB

Download
memory/1676-8-0x0000000001020000-0x000000000127D000-memory.dmp

Filesize
2.4MB

Download
memory/1676-12-0x0000000001020000-0x000000000127D000-memory.dmp

Filesize
2.4MB

Download
memory/1676-14-0x0000000001020000-0x000000000127D000-memory.dmp

Filesize
2.4MB

Download
memory/1676-16-0x0000000001020000-0x000000000127D000-memory.dmp

Filesize
2.4MB

Download
memory/1676-18-0x0000000001020000-0x000000000127D000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads