Analysis
-
max time kernel
129s -
max time network
23s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:32
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.1.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
pandabanker_2.1.0.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
pandabanker_2.1.0.vir.exe
-
Size
243KB
-
MD5
c6ffa4a58e659e537868350abd676ba0
-
SHA1
cb92588544d6a12f61b66f0694b60a5cacfd4684
-
SHA256
db790cbe0beb2a9c2749cb914fbdec8bdc7aa2ef3c9ca6c721e0c0fede715fb2
-
SHA512
a57dc9c62c7898773ec5e259bc2c3c1fbb802635e2a38bce8d6b6d81142d940b3c1c341052cbe88511b7ddfdbeff0dd9c2e7eba5ada62d304f6a686c3c0e01d7
Score
8/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pandabanker_2.1.0.vir.exedescription pid process Token: SeSecurityPrivilege 272 pandabanker_2.1.0.vir.exe Token: SeSecurityPrivilege 272 pandabanker_2.1.0.vir.exe -
Loads dropped DLL 2 IoCs
Processes:
pandabanker_2.1.0.vir.exepid process 272 pandabanker_2.1.0.vir.exe 272 pandabanker_2.1.0.vir.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
pandabanker_2.1.0.vir.exeNewUndo.exedescription pid process target process PID 272 wrote to memory of 736 272 pandabanker_2.1.0.vir.exe NewUndo.exe PID 272 wrote to memory of 736 272 pandabanker_2.1.0.vir.exe NewUndo.exe PID 272 wrote to memory of 736 272 pandabanker_2.1.0.vir.exe NewUndo.exe PID 272 wrote to memory of 736 272 pandabanker_2.1.0.vir.exe NewUndo.exe PID 736 wrote to memory of 1064 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1064 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1064 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1064 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1064 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1064 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1064 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1064 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1064 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1064 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1492 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1492 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1492 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1492 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1492 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1492 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1492 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1492 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1492 736 NewUndo.exe svchost.exe PID 736 wrote to memory of 1492 736 NewUndo.exe svchost.exe PID 272 wrote to memory of 1872 272 pandabanker_2.1.0.vir.exe cmd.exe PID 272 wrote to memory of 1872 272 pandabanker_2.1.0.vir.exe cmd.exe PID 272 wrote to memory of 1872 272 pandabanker_2.1.0.vir.exe cmd.exe PID 272 wrote to memory of 1872 272 pandabanker_2.1.0.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
NewUndo.exepid process 736 NewUndo.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1872 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.1.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.1.0.vir.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8r5uu9el.default-release\crashes\NewUndo.exe"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8r5uu9el.default-release\crashes\NewUndo.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd72504b5d.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd72504b5d.bat
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8r5uu9el.default-release\crashes\NewUndo.exe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8r5uu9el.default-release\crashes\NewUndo.exe
-
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8r5uu9el.default-release\crashes\NewUndo.exe
-
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8r5uu9el.default-release\crashes\NewUndo.exe
-
memory/736-2-0x0000000000000000-mapping.dmp
-
memory/1064-5-0x0000000000000000-mapping.dmp
-
memory/1492-6-0x0000000000000000-mapping.dmp
-
memory/1872-7-0x0000000000000000-mapping.dmp