Analysis
-
max time kernel
65s -
max time network
110s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:31
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.5.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
General
-
Target
pandabanker_2.5.0.vir.exe
-
Size
394KB
-
MD5
f1f81e6751825b70ee2d8a90ae4119ce
-
SHA1
854b027105285490e7e08f1a1280675ec14ce1e5
-
SHA256
335c0e4430a08956f796611b3ebf273117e784ee1d728d7b8fcb9997c98735cc
-
SHA512
a9ef255fb42b0b51a893df9dadf5ab8435047451e477ecd5ec562925718dcb117242dcd6270a35a64926283123ea549205335a9420da3d9d4c49d0e581896bae
Malware Config
Signatures
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pandabanker_2.5.0.vir.exe3647222921wleabcEoxlt-eengsairo.exepid process 3608 pandabanker_2.5.0.vir.exe 3856 3647222921wleabcEoxlt-eengsairo.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
pandabanker_2.5.0.vir.exepid process 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe 3608 pandabanker_2.5.0.vir.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.5.0.vir.exedescription pid process Token: SeSecurityPrivilege 3608 pandabanker_2.5.0.vir.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
pandabanker_2.5.0.vir.exedescription pid process target process PID 3608 wrote to memory of 3856 3608 pandabanker_2.5.0.vir.exe 3647222921wleabcEoxlt-eengsairo.exe PID 3608 wrote to memory of 3856 3608 pandabanker_2.5.0.vir.exe 3647222921wleabcEoxlt-eengsairo.exe PID 3608 wrote to memory of 3856 3608 pandabanker_2.5.0.vir.exe 3647222921wleabcEoxlt-eengsairo.exe PID 3608 wrote to memory of 3820 3608 pandabanker_2.5.0.vir.exe cmd.exe PID 3608 wrote to memory of 3820 3608 pandabanker_2.5.0.vir.exe cmd.exe PID 3608 wrote to memory of 3820 3608 pandabanker_2.5.0.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
3647222921wleabcEoxlt-eengsairo.exepid process 3856 3647222921wleabcEoxlt-eengsairo.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.5.0.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE pandabanker_2.5.0.vir.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE pandabanker_2.5.0.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.5.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.5.0.vir.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\3647222921wleabcEoxlt-eengsairo.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\3647222921wleabcEoxlt-eengsairo.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\updd3429026.bat"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\updd3429026.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\3647222921wleabcEoxlt-eengsairo.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\3647222921wleabcEoxlt-eengsairo.exe
-
memory/3820-3-0x0000000000000000-mapping.dmp
-
memory/3856-0-0x0000000000000000-mapping.dmp