59e2125782c015d9cad7ae6035eaed1cfab4889ee90ed74888582c784d08fb3b

General

Target

pandabanker_2.3.2.vir.exe
Size

347KB
MD5

ff044656b81afc0b8096bacb070277bf
SHA1

5e8dd2c875da5af0958bc38593ace12e68090c81
SHA256

59e2125782c015d9cad7ae6035eaed1cfab4889ee90ed74888582c784d08fb3b
SHA512

68c5a083529ff046ff826d3dcc34360dabbf74aeab9d19a39b7026ceb19b1a2836fbfb9bb7fab8eab3040bf5fa7cf33cb7865d472a19dcc4200d6a4d2d16c059

Score

9^/10

evasion spyware

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

pandabanker_2.3.2.vir.exe

description pid process

Token: SeSecurityPrivilege 1544 pandabanker_2.3.2.vir.exe
Loads dropped DLL 1 IoCs

Processes:

pandabanker_2.3.2.vir.exe

pid process

1544 pandabanker_2.3.2.vir.exe

description	pid	process
Token: SeSecurityPrivilege	1544	pandabanker_2.3.2.vir.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

pandabanker_2.3.2.vir.exeextension-preferences.exe

description	pid	process	target process
PID 1544 wrote to memory of 792	1544	pandabanker_2.3.2.vir.exe	extension-preferences.exe
PID 1544 wrote to memory of 792	1544	pandabanker_2.3.2.vir.exe	extension-preferences.exe
PID 1544 wrote to memory of 792	1544	pandabanker_2.3.2.vir.exe	extension-preferences.exe
PID 1544 wrote to memory of 792	1544	pandabanker_2.3.2.vir.exe	extension-preferences.exe
PID 792 wrote to memory of 1044	792	extension-preferences.exe	svchost.exe
PID 792 wrote to memory of 1044	792	extension-preferences.exe	svchost.exe
PID 792 wrote to memory of 1044	792	extension-preferences.exe	svchost.exe
PID 792 wrote to memory of 1044	792	extension-preferences.exe	svchost.exe
PID 792 wrote to memory of 1044	792	extension-preferences.exe	svchost.exe
PID 792 wrote to memory of 1044	792	extension-preferences.exe	svchost.exe
PID 792 wrote to memory of 1044	792	extension-preferences.exe	svchost.exe
PID 792 wrote to memory of 1044	792	extension-preferences.exe	svchost.exe
PID 792 wrote to memory of 1516	792	extension-preferences.exe	svchost.exe
PID 792 wrote to memory of 1516	792	extension-preferences.exe	svchost.exe
PID 792 wrote to memory of 1516	792	extension-preferences.exe	svchost.exe
PID 792 wrote to memory of 1516	792	extension-preferences.exe	svchost.exe
PID 792 wrote to memory of 1516	792	extension-preferences.exe	svchost.exe
PID 792 wrote to memory of 1516	792	extension-preferences.exe	svchost.exe
PID 792 wrote to memory of 1516	792	extension-preferences.exe	svchost.exe
PID 792 wrote to memory of 1516	792	extension-preferences.exe	svchost.exe
PID 1544 wrote to memory of 1684	1544	pandabanker_2.3.2.vir.exe	cmd.exe
PID 1544 wrote to memory of 1684	1544	pandabanker_2.3.2.vir.exe	cmd.exe
PID 1544 wrote to memory of 1684	1544	pandabanker_2.3.2.vir.exe	cmd.exe
PID 1544 wrote to memory of 1684	1544	pandabanker_2.3.2.vir.exe	cmd.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1684 cmd.exe
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

pandabanker_2.3.2.vir.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.3.2.vir.exe

pid	process
1684	cmd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	pandabanker_2.3.2.vir.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

pandabanker_2.3.2.vir.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\WINE	pandabanker_2.3.2.vir.exe
Key opened	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE	pandabanker_2.3.2.vir.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

pandabanker_2.3.2.vir.exe

pid	process
1544	pandabanker_2.3.2.vir.exe
1544	pandabanker_2.3.2.vir.exe
1544	pandabanker_2.3.2.vir.exe
1544	pandabanker_2.3.2.vir.exe
1544	pandabanker_2.3.2.vir.exe
1544	pandabanker_2.3.2.vir.exe
1544	pandabanker_2.3.2.vir.exe
1544	pandabanker_2.3.2.vir.exe
1544	pandabanker_2.3.2.vir.exe
1544	pandabanker_2.3.2.vir.exe

Executes dropped EXE 1 IoCs

Processes:

extension-preferences.exe

pid process

792 extension-preferences.exe

pid	process
792	extension-preferences.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

extension-preferences.exepandabanker_2.3.2.vir.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\敃瑲慎獭	extension-preferences.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\敃瑲慎獭\Certificates	extension-preferences.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\敃瑲慎獭\CRLs	extension-preferences.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\敃瑲慎獭\CTLs	extension-preferences.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\敃瑲慎獭	pandabanker_2.3.2.vir.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\敃瑲慎獭\Certificates	pandabanker_2.3.2.vir.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\敃瑲慎獭\CRLs	pandabanker_2.3.2.vir.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\敃瑲慎獭\CTLs	pandabanker_2.3.2.vir.exe

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\pandabanker_2.3.2.vir.exe
"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.3.2.vir.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
PID:1544

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\extension-preferences.exe
"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\extension-preferences.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Modifies system certificate store
PID:792

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
3⤵
PID:1044

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
3⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd3ecda5e0.bat"
2⤵
- Deletes itself
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

5

T1012

Virtualization/Sandbox Evasion

4

T1497

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\upd3ecda5e0.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\extension-preferences.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\extension-preferences.exe

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\extension-preferences.exe

Download Submit
memory/792-1-0x0000000000000000-mapping.dmp

Download
memory/1044-4-0x0000000000000000-mapping.dmp

Download
memory/1516-5-0x0000000000000000-mapping.dmp

Download
memory/1684-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads