MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7eb56d98f341b98164b70f34d5f4008a07f3fe9d02943ddc7edeacb05f6dd5ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 7eb56d98f341b98164b70f34d5f4008a07f3fe9d02943ddc7edeacb05f6dd5ef
SHA3-384 hash: 6f194474f5e003600b658ae4d0f4ce530f2ac2ca011236788dae2e1084bf53b0c3cff8416a5995309deb146e7ae7f621
SHA1 hash: 18accea914ac794731532d236cd4f6e75a9f4d49
MD5 hash: 7e986d3db3f08640ce7515c67514b491
humanhash: purple-fifteen-timing-purple
File name:pandabanker_2.3.1.vir
Download: download sample
Signature PandaZeuS
File size:208'335 bytes
First seen:2020-07-19 19:35:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e11c494d2623c095733ca82e77cc29e2
ssdeep 6144:RTHsKKSGLGES3M7zPdwI4SvNc8t8iXZWYK:tHXH87LWI4Gvt8iYYK
TLSH CE141277BE4FAA5BD6830070EE9049324C69B6225FEC65F197151ECE14821E337B6F88
Reporter @tildedennis
Tags:pandabanker PandaZeuS


Twitter
@tildedennis
pandabanker version 2.3.1

Intelligence


File Origin
# of uploads :
1
# of downloads :
28
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
ZeusPanda
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247395 Sample: pandabanker_2.3.1.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 4 other signatures 2->66 9 pandabanker_2.3.1.exe 2->9         started        12 .exe 2->12         started        14 .exe 2->14         started        process3 signatures4 76 Detected unpacking (changes PE section rights) 9->76 78 Drops batch files with force delete cmd (self deletion) 9->78 80 Contains functionality to inject code into remote processes 9->80 16 pandabanker_2.3.1.exe 5 9->16         started        20 pandabanker_2.3.1.exe 9->20         started        82 Injects a PE file into a foreign processes 12->82 22 .exe 12->22         started        24 .exe 12->24         started        26 .exe 14->26         started        28 .exe 14->28         started        process5 file6 46 C:\Users\user\AppData\Roaming\Adobe\...\.exe, PE32 16->46 dropped 48 C:\Users\user\AppData\...\upd3814b04b.bat, DOS 16->48 dropped 52 Creates executable files without a name 16->52 54 Drops executable to a common third party application directory 16->54 56 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->56 58 2 other signatures 16->58 30 .exe 16->30         started        33 cmd.exe 1 16->33         started        signatures7 process8 signatures9 90 Antivirus detection for dropped file 30->90 92 Multi AV Scanner detection for dropped file 30->92 94 Detected unpacking (changes PE section rights) 30->94 96 2 other signatures 30->96 35 .exe 30->35         started        38 conhost.exe 33->38         started        process10 signatures11 68 Writes to foreign memory regions 35->68 70 Allocates memory in foreign processes 35->70 72 Creates a thread in another existing process (thread injection) 35->72 74 Injects a PE file into a foreign processes 35->74 40 svchost.exe 2 12 35->40         started        44 svchost.exe 35->44         started        process12 dnsIp13 50 urasnev.top 40->50 84 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 40->84 86 Overwrites code with function prologues 40->86 88 Monitors registry run keys for changes 40->88 signatures14
Threat name:
Win32.Trojan.Cerber
Status:
Malicious
First seen:
2017-03-13 21:32:41 UTC
AV detection:
26 of 30 (86.67%)
Threat level
  2/5
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion spyware persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Checks BIOS information in registry
Identifies Wine through registry keys
Loads dropped DLL
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Executes dropped EXE
Looks for VMWare Tools registry key
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Looks for VirtualBox Guest Additions in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments