MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3be55a58b2afa08ba8520d981c50ab773113da36b139985ad16e5fab39ac145. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: c3be55a58b2afa08ba8520d981c50ab773113da36b139985ad16e5fab39ac145
SHA3-384 hash: c59847edefe4aa32861396ad951ea16c9b0d38f9dc5389f770e8419e31f24ef6bce8f8504e1ed689d90fa0cac5076cfb
SHA1 hash: 24733ff1f3bfa1f3a33b13feac300b77bcebe808
MD5 hash: 938fa3c6548d0aed1a89287965159d9d
humanhash: thirteen-enemy-neptune-arkansas
File name:pandabanker_2.5.5.vir
Download: download sample
Signature PandaZeuS
File size:254'464 bytes
First seen:2020-07-19 19:34:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aa836a33906ebb130c2c8a945910fec
ssdeep 6144:yiWc2HyvATIo7VxoJn99Ro2c8ruH8mV++:DKHyoIeVx2K8rm8+
TLSH CC447C3122A4E2B9C1D167F4C4A083FF06BAAC129639858767B47E257E72F805F5335B
Reporter @tildedennis
Tags:pandabanker PandaZeuS


Twitter
@tildedennis
pandabanker version 2.5.5

Intelligence


File Origin
# of uploads :
1
# of downloads :
28
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
ZeusPanda
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247382 Sample: pandabanker_2.5.5.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for dropped file 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 8 other signatures 2->54 7 pandabanker_2.5.5.exe 6 2->7         started        11 File Explorer.exe 1 2->11         started        13 File Explorer.exe 1 2->13         started        process3 file4 42 C:\Users\user\AppData\...\File Explorer.exe, PE32 7->42 dropped 44 C:\Users\user\AppData\...\upd05f044cf.bat, DOS 7->44 dropped 56 Detected unpacking (changes PE section rights) 7->56 58 Detected unpacking (overwrites its own PE header) 7->58 60 Drops batch files with force delete cmd (self deletion) 7->60 62 4 other signatures 7->62 15 File Explorer.exe 1 7->15         started        18 cmd.exe 1 7->18         started        20 WerFault.exe 7->20         started        22 WerFault.exe 11->22         started        24 WerFault.exe 11->24         started        26 WerFault.exe 13->26         started        signatures5 process6 signatures7 68 Writes to foreign memory regions 15->68 70 Allocates memory in foreign processes 15->70 72 Creates a thread in another existing process (thread injection) 15->72 74 Injects a PE file into a foreign processes 15->74 28 svchost.exe 2 13 15->28         started        32 svchost.exe 15->32         started        34 WerFault.exe 15->34         started        40 2 other processes 15->40 36 conhost.exe 18->36         started        38 conhost.exe 20->38         started        process8 dnsIp9 46 aliminuire.loan 28->46 64 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->64 66 Monitors registry run keys for changes 28->66 signatures10
Threat name:
Win32.Trojan.Upatre
Status:
Malicious
First seen:
2017-10-06 00:59:00 UTC
AV detection:
24 of 31 (77.42%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion spyware persistence
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Program crash
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Deletes itself
Identifies Wine through registry keys
Identifies Wine through registry keys
Reads user/profile data of web browsers
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments