MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41ac9dd172ebc186c77cab9f12401ab18805e77c34eacdf9dfdbd570d8bd9c62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 41ac9dd172ebc186c77cab9f12401ab18805e77c34eacdf9dfdbd570d8bd9c62
SHA3-384 hash: 8e534d763286069ae3f3609e6cf7090130a138457307aca876541f15ac9bb6539a8edcb6fd6690c4cb6edaa9fbbd2321
SHA1 hash: cd67a0ebd40d88d6d2f9b8df9b9c729479dad4f6
MD5 hash: 2526818feedf1748fa0de8ee290ad9ee
humanhash: magazine-lamp-yankee-edward
File name:pandabanker_2.6.7.vir
Download: download sample
Signature PandaZeuS
File size:300'544 bytes
First seen:2020-07-19 19:52:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 57daa528bdab76dd551bfe6f44e9f7ad
ssdeep 3072:HRLyLBzOxWTcMD1RWnpGN9ODgd+6+90AVRJ/Uhk7uNovLnRTr/vgJ3U9/HcoAhVp:SBj3N9jdaMhkaovLnR/nS9
TLSH 4254BE2171819039ECB3017549FA6A685A7CFE201F39AACB63C81A4ECF742D1BB35757
Reporter @tildedennis
Tags:pandabanker PandaZeuS


Twitter
@tildedennis
pandabanker version 2.6.7

Intelligence


File Origin
# of uploads :
1
# of downloads :
44
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
ZeusPanda
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Panda
Detection:
malicious
Classification:
phis.bank.spyw.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247702 Sample: pandabanker_2.6.7.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 3 other signatures 2->43 7 pandabanker_2.6.7.exe 5 2->7         started        11 previous.exe 2->11         started        13 previous.exe 2->13         started        process3 file4 31 C:\Users\user\AppData\...\previous.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\...\upd452d24b2.bat, DOS 7->33 dropped 53 Detected unpacking (changes PE section rights) 7->53 55 Detected unpacking (overwrites its own PE header) 7->55 57 Detected Panda e-Banking trojan 7->57 59 5 other signatures 7->59 15 previous.exe 7->15         started        18 cmd.exe 1 7->18         started        signatures5 process6 signatures7 61 Antivirus detection for dropped file 15->61 63 Multi AV Scanner detection for dropped file 15->63 65 Detected unpacking (changes PE section rights) 15->65 67 7 other signatures 15->67 20 svchost.exe 2 14 15->20         started        25 svchost.exe 15->25         started        27 conhost.exe 18->27         started        process8 dnsIp9 35 wrentweak.top 20->35 29 C:\Users\user\AppData\Roaming\...\prefs.js, ASCII 20->29 dropped 45 Detected Panda e-Banking trojan 20->45 47 Overwrites Mozilla Firefox settings 20->47 49 Monitors registry run keys for changes 20->49 51 Tries to harvest and steal browser information (history, passwords, etc) 20->51 file10 signatures11
Threat name:
Win32.Trojan.Gandcrab
Status:
Malicious
First seen:
2018-04-21 14:33:00 UTC
AV detection:
30 of 31 (96.77%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion spyware persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Adds Run key to start application
Identifies Wine through registry keys
Reads user/profile data of web browsers
Loads dropped DLL
Deletes itself
Reads user/profile data of web browsers
Identifies Wine through registry keys
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments