MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31f8346b01d9e3c307280bf900de4e91a57d579d5327f75fd697431bcdd20dd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 31f8346b01d9e3c307280bf900de4e91a57d579d5327f75fd697431bcdd20dd4
SHA3-384 hash: 6527f40cae9b181ebc37085a33b3ecf4ad559f06e6b29caf881dd042dfc80c25810cf5bcf51ed50e9ab24135127b30ff
SHA1 hash: 2cbfb20e03698928f0463deeb34f772096c7a9a6
MD5 hash: cb9d4b52e15194439c0bd7ab82053327
humanhash: jupiter-tennis-solar-three
File name:pandabanker_2.2.1.vir
Download: download sample
Signature PandaZeuS
File size:259'072 bytes
First seen:2020-07-19 19:47:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e88842c18464f8c4a94240921847a325
ssdeep 1536:+y0hYaHflcXOLTQk6fxua/Ug4l1jfnuGwPbtokw747eV1:+rhY2LFsx7/UlT7kw7GeV
TLSH 3F44F16B5CA195A3CEC41D3150AB4978EE372E21B2F44A44D309532AAF37765FD0AF28
Reporter @tildedennis
Tags:pandabanker


Twitter
@tildedennis
pandabanker version 2.2.1

Intelligence


File Origin
# of uploads :
1
# of downloads :
39
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
ZeusPanda
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247642 Sample: pandabanker_2.2.1.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 3 other signatures 2->44 7 pandabanker_2.2.1.exe 5 2->7         started        process3 file4 26 C:\Users\user\AppData\Roaming\...\.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\...\upd8b15b795.bat, DOS 7->28 dropped 46 Detected unpacking (changes PE section rights) 7->46 48 Detected unpacking (overwrites its own PE header) 7->48 50 Drops batch files with force delete cmd (self deletion) 7->50 52 7 other signatures 7->52 11 .exe 7->11         started        14 cmd.exe 1 7->14         started        signatures5 process6 signatures7 54 Antivirus detection for dropped file 11->54 56 Multi AV Scanner detection for dropped file 11->56 58 Detected unpacking (changes PE section rights) 11->58 60 8 other signatures 11->60 16 svchost.exe 11->16         started        20 svchost.exe 11->20         started        22 conhost.exe 14->22         started        process8 file9 24 72506089-182b-482b-9b50-803a37f2b582.nuh, data 16->24 dropped 30 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->30 32 Overwrites code with function prologues 16->32 34 Overwrites Mozilla Firefox settings 16->34 36 Tries to harvest and steal browser information (history, passwords, etc) 16->36 signatures10
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2016-04-20 18:57:00 UTC
AV detection:
25 of 29 (86.21%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion spyware
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Deletes itself
Checks BIOS information in registry
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Checks BIOS information in registry
Reads user/profile data of web browsers
Identifies Wine through registry keys
Executes dropped EXE
Looks for VMWare Tools registry key
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments