MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57ad651687d7bad1d5be010376dcd1c62a467ddfae3e96bc6429e7d53cb23e0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 57ad651687d7bad1d5be010376dcd1c62a467ddfae3e96bc6429e7d53cb23e0d
SHA3-384 hash: 84664445ef2675e1f0ca7954688772fdfe211efa4e85a92a962f6138eea869c925b60f964f8b96331eb087c77ec7c8e4
SHA1 hash: 8ea9f1eb72e5c9140edbf789ec3c1823c3667983
MD5 hash: e9d7b64791e55e421c0ac838e63f6c2a
humanhash: potato-steak-lactose-seven
File name:pandabanker_2.6.10.vir
Download: download sample
Signature PandaZeuS
File size:204'800 bytes
First seen:2020-07-19 19:42:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ab4189884ff0ac94bc467f0f44f2e92
ssdeep 3072:qJkQC2mCt3Q3BDieO4F5BfabJxzM9iGETYIF81NvuFHCMuKZ0CEgJix:7RDH79ZHPGFiMuQ+
TLSH 5A148E127B805432CCBF7E37D9614171192FE8273E968E672BE11AF849E85C14E2BC76
Reporter @tildedennis
Tags:pandabanker PandaZeuS


Twitter
@tildedennis
pandabanker version 2.6.10

Intelligence


File Origin
# of uploads :
1
# of downloads :
28
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
ZeusPanda
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Panda
Detection:
malicious
Classification:
phis.bank.spyw.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247468 Sample: pandabanker_2.6.10.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for domain / URL 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 4 other signatures 2->43 7 pandabanker_2.6.10.exe 5 2->7         started        11 3312185054sbndi_pspte.exe 2->11         started        13 3312185054sbndi_pspte.exe 2->13         started        process3 file4 31 C:\Users\user\...\3312185054sbndi_pspte.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\...\upd68dafd8b.bat, DOS 7->33 dropped 53 Detected unpacking (changes PE section rights) 7->53 55 Detected unpacking (overwrites its own PE header) 7->55 57 Detected Panda e-Banking trojan 7->57 59 5 other signatures 7->59 15 3312185054sbndi_pspte.exe 7->15         started        18 cmd.exe 1 7->18         started        signatures5 process6 signatures7 61 Antivirus detection for dropped file 15->61 63 Multi AV Scanner detection for dropped file 15->63 65 Detected unpacking (changes PE section rights) 15->65 67 7 other signatures 15->67 20 svchost.exe 2 14 15->20         started        25 svchost.exe 15->25         started        27 conhost.exe 18->27         started        process8 dnsIp9 35 ioxicjkdkc.abkhazia.su 178.210.89.119, 443, 49730, 49731 RU-CENTERRU Russian Federation 20->35 29 C:\Users\user\AppData\Roaming\...\prefs.js, ASCII 20->29 dropped 45 System process connects to network (likely due to code injection or exploit) 20->45 47 Detected Panda e-Banking trojan 20->47 49 Overwrites Mozilla Firefox settings 20->49 51 2 other signatures 20->51 file10 signatures11
Threat name:
Win32.Trojan.Gandcrab
Status:
Malicious
First seen:
2018-06-02 19:58:22 UTC
AV detection:
27 of 29 (93.10%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion spyware persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Adds Run key to start application
Identifies Wine through registry keys
Deletes itself
Reads user/profile data of web browsers
Loads dropped DLL
Identifies Wine through registry keys
Reads user/profile data of web browsers
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments