pandastealer | dedd6b62e173bbd5a2775a8ae0c4202ed7c0cc8d5da7999f8e3a04a12598f0ed

General

Target

skinchanger.exe
Size

11.6MB
MD5

df6b38c068ba68ca172d27d689d504f5
SHA1

4af19a63f0383f042e3ee0cfbbb7d60639c46515
SHA256

dedd6b62e173bbd5a2775a8ae0c4202ed7c0cc8d5da7999f8e3a04a12598f0ed
SHA512

2d31632c2a5965b9fed4cdfe71077f95a98d1b45c4d4432024f8b849cd8a9423a7949c498cb638922798072116c5891689cfa49d57a63307b49e72e651111944
SSDEEP

196608:94r6c6iLU3kX8PsjmqVNORTpAwyr7K/PxKhB2uKi0lK/xmK6XJ4+U:CucJU3kX9NObzydki0uU5M

Score

10^/10

pandastealer discovery spyware stealer vmprotect

Malware Config

Extracted

Family

pandastealer

Version

1.11

C2

http://f0519573.xsph.ru

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/2952-43-0x00000000010D0000-0x0000000001A76000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer

Executes dropped EXE 2 IoCs

pid	Process
3064	build.vmp.sfx.exe
2952	build.vmp.exe

Loads dropped DLL 7 IoCs

pid	Process
2008	skinchanger.exe
2008	skinchanger.exe
2008	skinchanger.exe
3064	build.vmp.sfx.exe
3064	build.vmp.sfx.exe
3064	build.vmp.sfx.exe
3064	build.vmp.sfx.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000a000000016cd8-19.dat	vmprotect
behavioral1/memory/2952-43-0x00000000010D0000-0x0000000001A76000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2952	build.vmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skinchanger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.vmp.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.vmp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2952	build.vmp.exe
2952	build.vmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 3064	2008	skinchanger.exe	29
PID 2008 wrote to memory of 3064	2008	skinchanger.exe	29
PID 2008 wrote to memory of 3064	2008	skinchanger.exe	29
PID 2008 wrote to memory of 3064	2008	skinchanger.exe	29
PID 3064 wrote to memory of 2952	3064	build.vmp.sfx.exe	30
PID 3064 wrote to memory of 2952	3064	build.vmp.sfx.exe	30
PID 3064 wrote to memory of 2952	3064	build.vmp.sfx.exe	30
PID 3064 wrote to memory of 2952	3064	build.vmp.sfx.exe	30

C:\Users\Admin\AppData\Local\Temp\skinchanger.exe
"C:\Users\Admin\AppData\Local\Temp\skinchanger.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\build.vmp.sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\build.vmp.sfx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\build.vmp.exe
    "C:\Users\Admin\AppData\Local\Temp\build.vmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\build.vmp.exe

Filesize
5.7MB

MD5
e4fc785451d5fa787ae6fc0cd3cd9915

SHA1
9fb6ba065fae12d584f8ff21d7cb7983f3154699

SHA256
1582751d73f7db5b9f4af9007a53c1f2b11c7aff7dcd706c6713323e097abade

SHA512
9d05ac94202d1b2adce979177d22b222f44ac27022fd4dfbdc29aad677cf794c68893a7f8a716524905485055ab2c88114cce6525175fbf1acfdbf5755447a42

Download Submit
\Users\Admin\AppData\Local\Temp\build.vmp.sfx.exe

Filesize
5.8MB

MD5
3cab81233b9149d63489129f27f9f7b3

SHA1
8564eabb56bba84a5d296cb94570bbc6fdb36973

SHA256
2ac2f6c5ab6bc83d2f42b6ead75398871b7c6fbcaf37626bcf40da0cc360f55d

SHA512
389553ddcbcae81d88dbc252c55dca5e3fb2fc1e8355fa1fd18f48ec3e77a81ce4d0262b8b5de3b198a9bb83dc59ba2a25910c8341239a5a017886721d1f1120

Download Submit
memory/2952-33-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2952-35-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2952-37-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2952-38-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2952-40-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2952-42-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2952-43-0x00000000010D0000-0x0000000001A76000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing