MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b66eace0a610e947b3aa9964f0ff8e94978c19f290ca377b1e5e558feca44879. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: b66eace0a610e947b3aa9964f0ff8e94978c19f290ca377b1e5e558feca44879
SHA3-384 hash: bb20fcac58035214768d9bf4412475703d981f827dcc36a70d227e512999eeb00a23e5e1292a025b1ac03de7ae16371d
SHA1 hash: c11ef05a0f716eb99a3d0eaf9ae9c1f1ca2fb6fd
MD5 hash: 7d898b1260c0ea760c1de7d586cf8527
humanhash: mirror-washington-undress-twenty
File name:pandabanker_2.6.1.vir
Download: download sample
Signature PandaZeuS
File size:259'584 bytes
First seen:2020-07-19 19:46:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cb458fc98228d209c646ee21af6b4192
ssdeep 6144:Qj0H25I6lTFKB9z47yNpgmH8msh4SxHXRE/d5v:Qv5I6lTFKj+yNjHWGc3REX
TLSH 8A449C1232B4DF77C16255334472BAF54E6CED512678A9DBA7B4F23E0E732808A39253
Reporter @tildedennis
Tags:pandabanker PandaZeuS


Twitter
@tildedennis
pandabanker version 2.6.1

Intelligence


File Origin
# of uploads :
1
# of downloads :
40
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247533 Sample: pandabanker_2.6.1.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 3 other signatures 2->40 7 pandabanker_2.6.1.exe 5 2->7         started        11 .exe 2->11         started        13 .exe 2->13         started        process3 file4 28 C:\Users\user\AppData\Roaming\Adobe\...\.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\...\updca2dce90.bat, DOS 7->30 dropped 46 Detected unpacking (changes PE section rights) 7->46 48 Detected unpacking (overwrites its own PE header) 7->48 50 Drops batch files with force delete cmd (self deletion) 7->50 52 5 other signatures 7->52 15 .exe 7->15         started        18 cmd.exe 1 7->18         started        signatures5 process6 signatures7 54 Antivirus detection for dropped file 15->54 56 Multi AV Scanner detection for dropped file 15->56 58 Detected unpacking (changes PE section rights) 15->58 60 6 other signatures 15->60 20 svchost.exe 2 12 15->20         started        24 svchost.exe 15->24         started        26 conhost.exe 18->26         started        process8 dnsIp9 32 3f4326f29598.cf 195.20.48.117, 443 VFMNL-ASAmsterdamLocationBGPSetupNL Netherlands 20->32 42 System process connects to network (likely due to code injection or exploit) 20->42 44 Monitors registry run keys for changes 20->44 signatures10
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2017-12-12 10:22:11 UTC
AV detection:
26 of 31 (83.87%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion spyware persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Deletes itself
Identifies Wine through registry keys
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Identifies Wine through registry keys
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments