pandastealer | a55a1fb322306d1e3052574c5539b2b4ac93a28f4baee165fcc7b0c5facc0d23

Analysis

max time kernel
71s
max time network
79s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
23/03/2025, 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GPOscript.rar
Size

315KB
MD5

b8f11fd5f47feb29d3390fbcbfb8f8a8
SHA1

a7d1abebf611c6b1df507df045bc09d5defa2235
SHA256

a55a1fb322306d1e3052574c5539b2b4ac93a28f4baee165fcc7b0c5facc0d23
SHA512

786f36b09385845e43f38e036693bcef6b19aab6b8b9c453f011fd99dc97f2927fe67ffb44797f3f66c999ccf0f9a84c33f4e4f42f87a1cb97d069d174b7f57a
SSDEEP

6144:F9aQ54JfOXFCEI0mnidW/rnQJYbjNUTYjIVs2X4DDM0GojCkp+gdiCLa:m044VMKEjnFbj+TWIVs2IDWQhoCa

Score

10^/10

pandastealer credential_access discovery spyware stealer

Malware Config

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002b085-4.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer

Executes dropped EXE 3 IoCs

pid	Process
2812	script.exe
2280	script.exe
5952	script.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	script.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	script.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	script.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2812	script.exe
2812	script.exe
4300	7zFM.exe
4300	7zFM.exe
4300	7zFM.exe
4300	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4300	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	4300	7zFM.exe
Token: 35	4300	7zFM.exe
Token: SeSecurityPrivilege	4300	7zFM.exe
Token: SeSecurityPrivilege	4300	7zFM.exe
Token: SeSecurityPrivilege	4300	7zFM.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4300	7zFM.exe
4300	7zFM.exe
4300	7zFM.exe
4300	7zFM.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 2812	4300	7zFM.exe	82
PID 4300 wrote to memory of 2812	4300	7zFM.exe	82
PID 4300 wrote to memory of 2812	4300	7zFM.exe	82
PID 4300 wrote to memory of 2280	4300	7zFM.exe	85
PID 4300 wrote to memory of 2280	4300	7zFM.exe	85
PID 4300 wrote to memory of 2280	4300	7zFM.exe	85
PID 4300 wrote to memory of 5952	4300	7zFM.exe	86
PID 4300 wrote to memory of 5952	4300	7zFM.exe	86
PID 4300 wrote to memory of 5952	4300	7zFM.exe	86

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\GPOscript.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Users\Admin\AppData\Local\Temp\7zOCC08D5E7\script.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCC08D5E7\script.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\7zOCC0E30B7\script.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCC0E30B7\script.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2280
- C:\Users\Admin\AppData\Local\Temp\7zOCC057878\script.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCC057878\script.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOCC08D5E7\script.exe

Filesize
632KB

MD5
699471c60523fd2c52d101f224651562

SHA1
d3fc7aaf914e1f3e649ef9e547af5f21372ae724

SHA256
0482414dd01db297c81e3ef661ff64320b37f3edd471c46935e51b32b806f335

SHA512
72d04845c822c56aa31dfe5c7921ccc3c14b3ac8394b3f251898c0089a961383cb865086b3fad3536cd76ebb6e2edfd3ffef6d8083d92b9c6fd7e17eda9299de

Download Submit