MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be4a4c076d2644bb29e90d6dc42ce9f400a940a9d684fd9073abdca0b65c9bca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: be4a4c076d2644bb29e90d6dc42ce9f400a940a9d684fd9073abdca0b65c9bca
SHA3-384 hash: af7dd6ef409d705c932da5e11f93db7cac36c883f29f34d975c143edf31a0f3c7c863a2b79c947b2e3d64b9cfb4b20ae
SHA1 hash: df6734c99e5a682c1298b983b3b2727d2853770d
MD5 hash: 01549ffc7c4dd015b2c01590536d2f9a
humanhash: asparagus-golf-magazine-carbon
File name:pandabanker_2.1.3.vir
Download: download sample
Signature PandaZeuS
File size:218'624 bytes
First seen:2020-07-19 19:35:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1b6adc34fa8a111d48902c0fea8048b8
ssdeep 3072:aIc62dBOJ6j6S2J1GdT0k/MZ3GqfYs9pw7ButpRtgCFtZhAYcNEulf1mb6jt:A62dTj8JMh0k/Mg+P0BCPTAvvmGh
TLSH 38243855BBB85EDFF59A0AB0AC6D7B046C27F663F523D98A4320CC6E04F16C012356B6
Reporter @tildedennis
Tags:pandabanker


Twitter
@tildedennis
pandabanker version 2.1.3

Intelligence


File Origin
# of uploads :
1
# of downloads :
27
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
ZeusPanda
Detection(s):
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247409 Sample: pandabanker_2.1.3.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 2 other signatures 2->41 7 pandabanker_2.1.3.exe 4 2->7         started        process3 file4 31 C:\Users\user\AppData\...\rasphone.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\...\upd151cc7fc.bat, DOS 7->33 dropped 47 Detected unpacking (changes PE section rights) 7->47 49 Detected unpacking (overwrites its own PE header) 7->49 51 Drops batch files with force delete cmd (self deletion) 7->51 53 Drops executable to a common third party application directory 7->53 11 rasphone.exe 7->11         started        14 cmd.exe 1 7->14         started        16 WerFault.exe 25 10 7->16         started        18 3 other processes 7->18 signatures5 process6 signatures7 55 Antivirus detection for dropped file 11->55 57 Multi AV Scanner detection for dropped file 11->57 59 Detected unpacking (changes PE section rights) 11->59 61 6 other signatures 11->61 20 svchost.exe 11->20         started        23 svchost.exe 11->23         started        25 WerFault.exe 18 9 11->25         started        27 WerFault.exe 11->27         started        29 conhost.exe 14->29         started        process8 signatures9 43 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->43 45 Overwrites code with function prologues 20->45
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2016-03-23 00:34:00 UTC
AV detection:
26 of 31 (83.87%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Deletes itself
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments