pandastealer | 933a3b090613a423aa7f9486e5a779f57a967776d8b154a40c078e2bff33f526

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddos-reaper (2).7z
Size

1.2MB
MD5

359d6a3b91cafd2e9409d32b50e69feb
SHA1

401c0df087cd72461751b80f9800d22e5b2c5fe0
SHA256

933a3b090613a423aa7f9486e5a779f57a967776d8b154a40c078e2bff33f526
SHA512

ad6d54221e1b857b564be496cac3320bd30d197b87d5e3f6f9c24138f154bf051d178631417cd1726f9340d9b91ced19c159bf8f665defb9d77e2f155fd012bc
SSDEEP

24576:kS7p30yyt8cDQsemqxQkqOsnfY5uIXVzZxJwqlJWcoaQm:kS7p30y87DQCHi55VzZAqlJWhg

Score

10^/10

pandastealer phoenixstealer stealer

Malware Config

Signatures

Panda Stealer payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2468-130-0x0000000000400000-0x000000000048D000-memory.dmp	family_pandastealer
behavioral2/memory/2468-139-0x0000000000400000-0x000000000048D000-memory.dmp	family_pandastealer
behavioral2/memory/3360-279-0x0000000000700000-0x000000000078D000-memory.dmp	family_pandastealer
behavioral2/memory/3360-288-0x0000000000700000-0x000000000078D000-memory.dmp	family_pandastealer
behavioral2/memory/3040-353-0x0000000000400000-0x000000000048D000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
PhoenixStealer
PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.
stealer phoenixstealer
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation cmd.exe
Executes dropped EXE 3 IoCs

Processes:

ddos-reaper.exeddos-reaper.exeddos-reaper.exe

pid process

696 ddos-reaper.exe
8 ddos-reaper.exe
4868 ddos-reaper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
696	ddos-reaper.exe
8	ddos-reaper.exe
4868	ddos-reaper.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ddos-reaper.exeddos-reaper.exeddos-reaper.exe

description	pid	process	target process
PID 696 set thread context of 2468	696	ddos-reaper.exe	RegSvcs.exe
PID 8 set thread context of 3360	8	ddos-reaper.exe	RegSvcs.exe
PID 4868 set thread context of 3040	4868	ddos-reaper.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4316 696 WerFault.exe ddos-reaper.exe
3404 8 WerFault.exe ddos-reaper.exe
4680 4868 WerFault.exe ddos-reaper.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings cmd.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2468 RegSvcs.exe
2468 RegSvcs.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

1780 7zFM.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zFM.exe

description pid process

Token: SeRestorePrivilege 1780 7zFM.exe
Token: 35 1780 7zFM.exe
Token: SeSecurityPrivilege 1780 7zFM.exe
Token: SeSecurityPrivilege 1780 7zFM.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exe

pid process

1780 7zFM.exe
1780 7zFM.exe
1780 7zFM.exe

pid	pid_target	process	target process
4316	696	WerFault.exe	ddos-reaper.exe
3404	8	WerFault.exe	ddos-reaper.exe
4680	4868	WerFault.exe	ddos-reaper.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	cmd.exe

pid	process
2468	RegSvcs.exe
2468	RegSvcs.exe

pid	process
1780	7zFM.exe

description	pid	process
Token: SeRestorePrivilege	1780	7zFM.exe
Token: 35	1780	7zFM.exe
Token: SeSecurityPrivilege	1780	7zFM.exe
Token: SeSecurityPrivilege	1780	7zFM.exe

pid	process
1780	7zFM.exe
1780	7zFM.exe
1780	7zFM.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cmd.exe7zFM.exeddos-reaper.exeddos-reaper.exeddos-reaper.exe

description	pid	process	target process
PID 4128 wrote to memory of 1780	4128	cmd.exe	7zFM.exe
PID 4128 wrote to memory of 1780	4128	cmd.exe	7zFM.exe
PID 1780 wrote to memory of 696	1780	7zFM.exe	ddos-reaper.exe
PID 1780 wrote to memory of 696	1780	7zFM.exe	ddos-reaper.exe
PID 1780 wrote to memory of 696	1780	7zFM.exe	ddos-reaper.exe
PID 696 wrote to memory of 2468	696	ddos-reaper.exe	RegSvcs.exe
PID 696 wrote to memory of 2468	696	ddos-reaper.exe	RegSvcs.exe
PID 696 wrote to memory of 2468	696	ddos-reaper.exe	RegSvcs.exe
PID 696 wrote to memory of 2468	696	ddos-reaper.exe	RegSvcs.exe
PID 696 wrote to memory of 2468	696	ddos-reaper.exe	RegSvcs.exe
PID 8 wrote to memory of 3360	8	ddos-reaper.exe	RegSvcs.exe
PID 8 wrote to memory of 3360	8	ddos-reaper.exe	RegSvcs.exe
PID 8 wrote to memory of 3360	8	ddos-reaper.exe	RegSvcs.exe
PID 8 wrote to memory of 3360	8	ddos-reaper.exe	RegSvcs.exe
PID 8 wrote to memory of 3360	8	ddos-reaper.exe	RegSvcs.exe
PID 4868 wrote to memory of 3040	4868	ddos-reaper.exe	RegSvcs.exe
PID 4868 wrote to memory of 3040	4868	ddos-reaper.exe	RegSvcs.exe
PID 4868 wrote to memory of 3040	4868	ddos-reaper.exe	RegSvcs.exe
PID 4868 wrote to memory of 3040	4868	ddos-reaper.exe	RegSvcs.exe
PID 4868 wrote to memory of 3040	4868	ddos-reaper.exe	RegSvcs.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ddos-reaper (2).7z"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4128

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ddos-reaper (2).7z"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\AppData\Local\Temp\7zO4F63ABB7\ddos-reaper.exe
"C:\Users\Admin\AppData\Local\Temp\7zO4F63ABB7\ddos-reaper.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 440
4⤵
- Program crash
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 696 -ip 696
1⤵
PID:4460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3712

C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe
"C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 440
2⤵
- Program crash
PID:3404

C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe
"C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 412
2⤵
- Program crash
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 8 -ip 8
1⤵
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4868 -ip 4868
1⤵
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO4F63ABB7\ddos-reaper.exe
Filesize
1.2MB

MD5
dd20876bf25544aa55e0c3725103c666

SHA1
d00d689de9f35159188935d3bd93677c807ed655

SHA256
33e5d605c1c13a995d4a2d7cb9dca9facda4c97c1c7b41dc349cc756bfc0bd67

SHA512
8e88e8777717d203065144ce594e18f86048c83c83d06ef06f0255f42c0de1bfdb1da2faad2bb39da52a652eb4267af79a84d2822afb6e5e31e27899b70ab9fc

Download Submit
C:\Users\Admin\Desktop\ddos-reaper\headers.txt
Filesize
226B

MD5
d96df362a721b7f2e5069f282231d008

SHA1
66506f444bcf6a3b0ab1d790598e64997f56a349

SHA256
8b834227d25fd9777362c074d3184c480f3ca1c51ac287c84097bb90ff1b9346

SHA512
121de04f3f8b4e34046e780605303508948e381e909b6cda5bc8cad61859ffc5ea0a82e700c3550b35aff88bcad699ab9c3266c1b4bb4daff36ff5bef11e302b

Download Submit
memory/8-197-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/696-11-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/696-13-0x00000000025F0000-0x0000000002650000-memory.dmp

Filesize
384KB

Download
memory/696-14-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/696-15-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/696-16-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/696-17-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/696-18-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/696-19-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/696-20-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/696-21-0x0000000003760000-0x0000000003761000-memory.dmp

Filesize
4KB

Download
memory/696-22-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/696-26-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/696-27-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/696-25-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/696-28-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/696-24-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/696-23-0x0000000003750000-0x0000000003751000-memory.dmp

Filesize
4KB

Download
memory/696-29-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/696-30-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/696-31-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/696-33-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/696-32-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/696-34-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/696-35-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/696-36-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-37-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-38-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-39-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-40-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-41-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-42-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-43-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-44-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-45-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-46-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-47-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-48-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-49-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-50-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-51-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-53-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-52-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-54-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-55-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-56-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-57-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-58-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-59-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-61-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-60-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-62-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-63-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/696-64-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/696-65-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/696-67-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/696-66-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/696-68-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/696-69-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/696-70-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/696-71-0x00000000025F0000-0x0000000002650000-memory.dmp

Filesize
384KB

Download
memory/696-73-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-74-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-76-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-77-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/696-75-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/2468-130-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2468-139-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3040-353-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3360-279-0x0000000000700000-0x000000000078D000-memory.dmp

Filesize
564KB

Download
memory/3360-288-0x0000000000700000-0x000000000078D000-memory.dmp

Filesize
564KB

Download
memory/4868-290-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download