MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae96dbb67a548c38a292255130c47b99ec028e6afa228d62980a03ba9d7f03b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: ae96dbb67a548c38a292255130c47b99ec028e6afa228d62980a03ba9d7f03b0
SHA3-384 hash: 68fdeab6b746fb9c64e0adee0fce531ff852deecfb9fcb0aebe17a49a5d4549bd0b5941090b0b763647a485f1172de6b
SHA1 hash: f47b802940ffb8a23b5fa51da2868ecbeabf4dad
MD5 hash: 5f4ddfe85a833c8b94fab8ab4c9e8fcd
humanhash: south-gee-eleven-lion
File name:pandabanker_2.5.6.vir
Download: download sample
Signature PandaZeuS
File size:341'504 bytes
First seen:2020-07-19 19:39:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 23477c29ee09b056e0f2d81c768e833e
ssdeep 6144:MdoDCmicvDd1JrytGWleXmTkIhj0kZffmQ+3Ike+Z4q3SHCEah6Utbn:Mk7icvDd1JryLYmwcPWQ+3IkeZihh6An
TLSH 5D74DF257640C132E18B1171C926C77A8A79BCB09B2A62C7BBD07B2D9F747D2D632347
Reporter @tildedennis
Tags:pandabanker


Twitter
@tildedennis
pandabanker version 2.5.6

Intelligence


File Origin
# of uploads :
1
# of downloads :
27
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
ZeusPanda
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247437 Sample: pandabanker_2.5.6.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for dropped file 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 6 other signatures 2->40 7 pandabanker_2.5.6.exe 6 2->7         started        11 Windows PowerShell (x86).exe 1 2->11         started        13 Windows PowerShell (x86).exe 1 2->13         started        process3 file4 28 C:\Users\...\Windows PowerShell (x86).exe, PE32 7->28 dropped 30 C:\Users\user\AppData\...\upd13553ac0.bat, DOS 7->30 dropped 50 Detected unpacking (changes PE section rights) 7->50 52 Detected unpacking (overwrites its own PE header) 7->52 54 Drops batch files with force delete cmd (self deletion) 7->54 56 4 other signatures 7->56 15 Windows PowerShell (x86).exe 1 7->15         started        18 cmd.exe 1 7->18         started        signatures5 process6 signatures7 58 Writes to foreign memory regions 15->58 60 Allocates memory in foreign processes 15->60 62 Creates a thread in another existing process (thread injection) 15->62 64 Injects a PE file into a foreign processes 15->64 20 svchost.exe 2 13 15->20         started        24 svchost.exe 15->24         started        26 conhost.exe 18->26         started        process8 dnsIp9 32 5c9cf1996510.faith 20->32 42 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->42 44 Creates autostart registry keys with suspicious values (likely registry only malware) 20->44 46 Creates autostart registry keys with suspicious names 20->46 48 Monitors registry run keys for changes 20->48 signatures10
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2017-10-17 09:37:08 UTC
AV detection:
23 of 28 (82.14%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion spyware persistence
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Deletes itself
Identifies Wine through registry keys
Reads user/profile data of web browsers
Identifies Wine through registry keys
Reads user/profile data of web browsers
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments