MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31ed064712da1c70c11c2e157e8469812befb3f051dcd7ffa4de44be49860381. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 2 Comments

SHA256 hash: 31ed064712da1c70c11c2e157e8469812befb3f051dcd7ffa4de44be49860381
SHA3-384 hash: 25c46e6d8dc27ae3e70156ae93ee32d4fc569b18f8fc5e50a067b8c1f6d9e3c2188a00602433b74ac3c45b7cc1c677e7
SHA1 hash: 77170d35b865b04ccb7e22f7814c594ccc205827
MD5 hash: 203ec0eda28e1fa47e784adeb312f1b7
humanhash: echo-white-carpet-sodium
File name:pandabanker_2.5.1.vir
Download: download sample
Signature PandaZeuS
File size:100'352 bytes
First seen:2020-07-19 19:29:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4967a4ac07d6673b75901758967bbba7
ssdeep 1536:dLVmuwIiyY+7KChnELlsr18mSRRTG+DgdZGW68HHScQnhNO6v0kS1h9eyCw:dZmnV+eChEp6wTDgdoW68HHcKxvb
TLSH 3CA39E63F9CB40FBE9357A30599E79429AFAFF14095A5E83C3A55C8B5820A10BD1F343
Reporter @tildedennis
Tags:pandabanker PandaZeuS


Twitter
@tildedennis
pandabanker version 2.5.1

Intelligence


File Origin
# of uploads :
1
# of downloads :
28
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
ZeusPanda
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247316 Sample: pandabanker_2.5.1.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for dropped file 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 6 other signatures 2->40 7 pandabanker_2.5.1.exe 5 2->7         started        11 Windows PowerShell ISE.exe 2->11         started        13 Windows PowerShell ISE.exe 2->13         started        process3 file4 28 C:\Users\user\...\Windows PowerShell ISE.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\...\upd19ee830b.bat, DOS 7->30 dropped 48 Drops batch files with force delete cmd (self deletion) 7->48 50 Drops executable to a common third party application directory 7->50 52 Tries to detect sandboxes / dynamic malware analysis system (registry check) 7->52 54 2 other signatures 7->54 15 Windows PowerShell ISE.exe 7->15         started        18 cmd.exe 1 7->18         started        signatures5 process6 signatures7 56 Writes to foreign memory regions 15->56 58 Allocates memory in foreign processes 15->58 60 Creates a thread in another existing process (thread injection) 15->60 62 Injects a PE file into a foreign processes 15->62 20 svchost.exe 2 12 15->20         started        24 svchost.exe 15->24         started        26 conhost.exe 18->26         started        process8 dnsIp9 32 rengima.xyz 20->32 42 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->42 44 Creates autostart registry keys with suspicious values (likely registry only malware) 20->44 46 Monitors registry run keys for changes 20->46 signatures10
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2017-09-02 08:19:00 UTC
AV detection:
22 of 28 (78.57%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware persistence evasion
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Deletes itself
Reads user/profile data of web browsers
Identifies Wine through registry keys
Reads user/profile data of web browsers
Identifies Wine through registry keys
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

Yara Signatures


Rule name:win_pandabanker_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:Zeus_Panda
Author:Florian Roth
Description:Detects ZEUS Panda Malware
Reference:https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments