SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pandabanker (Back to overview)

PandaBanker

aka: ZeusPanda
URLhaus            

According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.

This banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.

The baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.

Panda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-08-21Medium CrovaxCrovax
@online{crovax:20210821:panda:38d0b7a, author = {Crovax}, title = {{Panda Banker Analysis Part 1}}, date = {2021-08-21}, organization = {Medium Crovax}, url = {https://medium.com/@crovax/panda-banker-analysis-part-1-d08b3a855847}, language = {English}, urldate = {2022-01-25} } Panda Banker Analysis Part 1
PandaBanker
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-05-20Youtube (nonepizza)nonepizza
@online{nonepizza:20200520:pandabanker:da5cd3c, author = {nonepizza}, title = {{(PandaBanker Analysis) Fixing Corrupted PE Headers and Unmapping an Executable}}, date = {2020-05-20}, organization = {Youtube (nonepizza)}, url = {https://www.youtube.com/watch?v=J7VOfAJvxEY}, language = {English}, urldate = {2020-05-29} } (PandaBanker Analysis) Fixing Corrupted PE Headers and Unmapping an Executable
PandaBanker
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-07-11ProofpointProofpoint Threat Insight Team
@online{team:20190711:threat:00e0a1a, author = {Proofpoint Threat Insight Team}, title = {{Threat Actor Profile: TA544 targets geographies from Italy to Japan with a range of malware}}, date = {2019-07-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware}, language = {English}, urldate = {2021-05-31} } Threat Actor Profile: TA544 targets geographies from Italy to Japan with a range of malware
ISFB PandaBanker UrlZone NARWHAL SPIDER
2018-10-09Github (JR0driguezB)JR0driguezB
@online{jr0driguezb:20181009:malware:89b0393, author = {JR0driguezB}, title = {{Malware Configs - Pandabanker}}, date = {2018-10-09}, organization = {Github (JR0driguezB)}, url = {https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker}, language = {English}, urldate = {2020-01-07} } Malware Configs - Pandabanker
PandaBanker
2018-08-20Vitali Kremez BlogVitali Kremez
@online{kremez:20180820:lets:d3f938c, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Panda Banker & Modules: Webinject, Grabber & Keylogger DLL Modules}}, date = {2018-08-20}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html}, language = {English}, urldate = {2019-10-23} } Let's Learn: Dissecting Panda Banker & Modules: Webinject, Grabber & Keylogger DLL Modules
PandaBanker
2018-01-12ProofpointProofpoint Staff
@online{staff:20180112:holiday:b4225b8, author = {Proofpoint Staff}, title = {{Holiday lull? Not so much}}, date = {2018-01-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much}, language = {English}, urldate = {2021-05-31} } Holiday lull? Not so much
Dridex Emotet GlobeImposter ISFB Necurs PandaBanker UrlZone NARWHAL SPIDER
2017-12-14ProofpointProofpoint Staff
@online{staff:20171214:zeus:27fa0fe, author = {Proofpoint Staff}, title = {{Zeus Panda Banking Trojan Targets Online Holiday Shoppers}}, date = {2017-12-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers}, language = {English}, urldate = {2019-12-20} } Zeus Panda Banking Trojan Targets Online Holiday Shoppers
PandaBanker
2017-11-02TalosEdmund Brumaghin, Earl Carter, Emmanuel Tacheau
@online{brumaghin:20171102:poisoning:c00599d, author = {Edmund Brumaghin and Earl Carter and Emmanuel Tacheau}, title = {{Poisoning the Well: Banking Trojan Targets Google Search Results}}, date = {2017-11-02}, organization = {Talos}, url = {http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html}, language = {English}, urldate = {2019-11-21} } Poisoning the Well: Banking Trojan Targets Google Search Results
PandaBanker
2017-06-22G DataLuca Ebach
@techreport{ebach:20170622:analysis:25ecd34, author = {Luca Ebach}, title = {{Analysis Results of Zeus.Variant.Panda}}, date = {2017-06-22}, institution = {G Data}, url = {https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf}, language = {English}, urldate = {2019-12-02} } Analysis Results of Zeus.Variant.Panda
PandaBanker
2017-03-13Manuel K.-B.
@online{kb:20170313:zeus:9a4fbcd, author = {Manuel K.-B.}, title = {{Zeus Panda Webinjects: Don’t trust your eyes}}, date = {2017-03-13}, url = {https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/}, language = {English}, urldate = {2020-01-13} } Zeus Panda Webinjects: Don’t trust your eyes
PandaBanker
2017-02-03Manuel K.-B.
@online{kb:20170203:zeus:02a798a, author = {Manuel K.-B.}, title = {{Zeus Panda Webinjects: a case study}}, date = {2017-02-03}, url = {https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/}, language = {English}, urldate = {2019-11-22} } Zeus Panda Webinjects: a case study
PandaBanker
Yara Rules
[TLP:WHITE] win_pandabanker_auto (20230407 | Detects win.pandabanker.)
rule win_pandabanker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.pandabanker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fbed0 83ea37 eb16 3c61 0f8ca5000000 }
            // n = 5, score = 8600
            //   0fbed0               | movsx               edx, al
            //   83ea37               | sub                 edx, 0x37
            //   eb16                 | jmp                 0x18
            //   3c61                 | cmp                 al, 0x61
            //   0f8ca5000000         | jl                  0xab

        $sequence_1 = { 3b0f 7ce2 8b2f 03f5 }
            // n = 4, score = 8600
            //   3b0f                 | cmp                 ecx, dword ptr [edi]
            //   7ce2                 | jl                  0xffffffe4
            //   8b2f                 | mov                 ebp, dword ptr [edi]
            //   03f5                 | add                 esi, ebp

        $sequence_2 = { e8???????? 8b7500 8d7c2414 8b442410 03f3 }
            // n = 5, score = 8600
            //   e8????????           |                     
            //   8b7500               | mov                 esi, dword ptr [ebp]
            //   8d7c2414             | lea                 edi, [esp + 0x14]
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   03f3                 | add                 esi, ebx

        $sequence_3 = { 85db 7404 c6000a 40 c60000 8b442434 }
            // n = 6, score = 8600
            //   85db                 | test                ebx, ebx
            //   7404                 | je                  6
            //   c6000a               | mov                 byte ptr [eax], 0xa
            //   40                   | inc                 eax
            //   c60000               | mov                 byte ptr [eax], 0
            //   8b442434             | mov                 eax, dword ptr [esp + 0x34]

        $sequence_4 = { f3a4 5f 5e 8bcd 5d }
            // n = 5, score = 8600
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   8bcd                 | mov                 ecx, ebp
            //   5d                   | pop                 ebp

        $sequence_5 = { 33c0 85c9 740b 394104 7406 394108 7401 }
            // n = 7, score = 8600
            //   33c0                 | xor                 eax, eax
            //   85c9                 | test                ecx, ecx
            //   740b                 | je                  0xd
            //   394104               | cmp                 dword ptr [ecx + 4], eax
            //   7406                 | je                  8
            //   394108               | cmp                 dword ptr [ecx + 8], eax
            //   7401                 | je                  3

        $sequence_6 = { e8???????? 84c0 746d 83caff 8bce e8???????? 8bf8 }
            // n = 7, score = 8600
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   746d                 | je                  0x6f
            //   83caff               | or                  edx, 0xffffffff
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_7 = { 8b74243c 8d7801 8b4c2440 f3a4 8b7c2440 8b742444 47 }
            // n = 7, score = 8600
            //   8b74243c             | mov                 esi, dword ptr [esp + 0x3c]
            //   8d7801               | lea                 edi, [eax + 1]
            //   8b4c2440             | mov                 ecx, dword ptr [esp + 0x40]
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   8b7c2440             | mov                 edi, dword ptr [esp + 0x40]
            //   8b742444             | mov                 esi, dword ptr [esp + 0x44]
            //   47                   | inc                 edi

        $sequence_8 = { 8bce 50 e8???????? 8b7c2424 84c0 744e ff742428 }
            // n = 7, score = 8600
            //   8bce                 | mov                 ecx, esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b7c2424             | mov                 edi, dword ptr [esp + 0x24]
            //   84c0                 | test                al, al
            //   744e                 | je                  0x50
            //   ff742428             | push                dword ptr [esp + 0x28]

        $sequence_9 = { 8b4b54 83c018 03c3 f3a4 89442410 33c9 }
            // n = 6, score = 8600
            //   8b4b54               | mov                 ecx, dword ptr [ebx + 0x54]
            //   83c018               | add                 eax, 0x18
            //   03c3                 | add                 eax, ebx
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   33c9                 | xor                 ecx, ecx

    condition:
        7 of them and filesize < 417792
}
Download all Yara Rules