Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:41
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.1.2.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
pandabanker_2.1.2.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
pandabanker_2.1.2.vir.exe
-
Size
336KB
-
MD5
dfb9784c77e51bfb53d018b7b64381ff
-
SHA1
ab94e10047ee84e26263fa4c1528295b3c9ef945
-
SHA256
e4e8aac2107834b2d895fc35d71bb396075d971c650ff173714c3d17956c7da6
-
SHA512
e5ac07c1cfda0111b5a30fbf04eda166588fba76547220b616f53eed1cbb4a31dd7c79c42c3af4925a8750e6bb87a391ec266b93137f176a302982b7997e3ec2
Score
8/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1980 cmd.exe -
JavaScript code in executable 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\3870112724rsegmnoittet-es.exe js C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\3870112724rsegmnoittet-es.exe js C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\3870112724rsegmnoittet-es.exe js -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pandabanker_2.1.2.vir.exedescription pid process Token: SeSecurityPrivilege 1496 pandabanker_2.1.2.vir.exe Token: SeSecurityPrivilege 1496 pandabanker_2.1.2.vir.exe -
Loads dropped DLL 1 IoCs
Processes:
pandabanker_2.1.2.vir.exepid process 1496 pandabanker_2.1.2.vir.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
pandabanker_2.1.2.vir.exe3870112724rsegmnoittet-es.exedescription pid process target process PID 1496 wrote to memory of 1032 1496 pandabanker_2.1.2.vir.exe 3870112724rsegmnoittet-es.exe PID 1496 wrote to memory of 1032 1496 pandabanker_2.1.2.vir.exe 3870112724rsegmnoittet-es.exe PID 1496 wrote to memory of 1032 1496 pandabanker_2.1.2.vir.exe 3870112724rsegmnoittet-es.exe PID 1496 wrote to memory of 1032 1496 pandabanker_2.1.2.vir.exe 3870112724rsegmnoittet-es.exe PID 1032 wrote to memory of 1660 1032 3870112724rsegmnoittet-es.exe svchost.exe PID 1032 wrote to memory of 1660 1032 3870112724rsegmnoittet-es.exe svchost.exe PID 1032 wrote to memory of 1660 1032 3870112724rsegmnoittet-es.exe svchost.exe PID 1032 wrote to memory of 1660 1032 3870112724rsegmnoittet-es.exe svchost.exe PID 1032 wrote to memory of 1660 1032 3870112724rsegmnoittet-es.exe svchost.exe PID 1032 wrote to memory of 1660 1032 3870112724rsegmnoittet-es.exe svchost.exe PID 1032 wrote to memory of 1660 1032 3870112724rsegmnoittet-es.exe svchost.exe PID 1032 wrote to memory of 1660 1032 3870112724rsegmnoittet-es.exe svchost.exe PID 1032 wrote to memory of 1624 1032 3870112724rsegmnoittet-es.exe svchost.exe PID 1032 wrote to memory of 1624 1032 3870112724rsegmnoittet-es.exe svchost.exe PID 1032 wrote to memory of 1624 1032 3870112724rsegmnoittet-es.exe svchost.exe PID 1032 wrote to memory of 1624 1032 3870112724rsegmnoittet-es.exe svchost.exe PID 1032 wrote to memory of 1624 1032 3870112724rsegmnoittet-es.exe svchost.exe PID 1032 wrote to memory of 1624 1032 3870112724rsegmnoittet-es.exe svchost.exe PID 1032 wrote to memory of 1624 1032 3870112724rsegmnoittet-es.exe svchost.exe PID 1032 wrote to memory of 1624 1032 3870112724rsegmnoittet-es.exe svchost.exe PID 1496 wrote to memory of 1980 1496 pandabanker_2.1.2.vir.exe cmd.exe PID 1496 wrote to memory of 1980 1496 pandabanker_2.1.2.vir.exe cmd.exe PID 1496 wrote to memory of 1980 1496 pandabanker_2.1.2.vir.exe cmd.exe PID 1496 wrote to memory of 1980 1496 pandabanker_2.1.2.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
3870112724rsegmnoittet-es.exepid process 1032 3870112724rsegmnoittet-es.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.1.2.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.1.2.vir.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\3870112724rsegmnoittet-es.exe"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\3870112724rsegmnoittet-es.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upda40e40e7.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upda40e40e7.bat
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\3870112724rsegmnoittet-es.exe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\3870112724rsegmnoittet-es.exe
-
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\3870112724rsegmnoittet-es.exe
-
memory/1032-1-0x0000000000000000-mapping.dmp
-
memory/1032-6-0x00000000020E0000-0x00000000020E4000-memory.dmpFilesize
16KB
-
memory/1496-8-0x0000000002280000-0x0000000002284000-memory.dmpFilesize
16KB
-
memory/1624-5-0x0000000000000000-mapping.dmp
-
memory/1660-4-0x0000000000000000-mapping.dmp
-
memory/1980-7-0x0000000000000000-mapping.dmp