win.pandabanker (Back to overview)

PandaBanker

aka: ZeusPanda
URLhaus            

According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.

This banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.

The baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.

Panda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.

References
2018-10-09 ⋅ Github (JR0driguezB)JR0driguezB
@online{jr0driguezb:20181009:malware:89b0393, author = {JR0driguezB}, title = {{Malware Configs - Pandabanker}}, date = {2018-10-09}, organization = {Github (JR0driguezB)}, url = {https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker}, language = {English}, urldate = {2020-01-07} } Malware Configs - Pandabanker
PandaBanker
2018-08-20 ⋅ Vitali Kremez BlogVitali Kremez
@online{kremez:20180820:lets:d3f938c, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Panda Banker & Modules: Webinject, Grabber & Keylogger DLL Modules}}, date = {2018-08-20}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html}, language = {English}, urldate = {2019-10-23} } Let's Learn: Dissecting Panda Banker & Modules: Webinject, Grabber & Keylogger DLL Modules
PandaBanker
2017-12-14 ⋅ ProofpointProofpoint Staff
@online{staff:20171214:zeus:27fa0fe, author = {Proofpoint Staff}, title = {{Zeus Panda Banking Trojan Targets Online Holiday Shoppers}}, date = {2017-12-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers}, language = {English}, urldate = {2019-12-20} } Zeus Panda Banking Trojan Targets Online Holiday Shoppers
PandaBanker
2017-11-02 ⋅ TalosEdmund Brumaghin, Earl Carter, Emmanuel Tacheau
@online{brumaghin:20171102:poisoning:c00599d, author = {Edmund Brumaghin and Earl Carter and Emmanuel Tacheau}, title = {{Poisoning the Well: Banking Trojan Targets Google Search Results}}, date = {2017-11-02}, organization = {Talos}, url = {http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html}, language = {English}, urldate = {2019-11-21} } Poisoning the Well: Banking Trojan Targets Google Search Results
PandaBanker
2017-06-22 ⋅ G DataLuca Ebach
@techreport{ebach:20170622:analysis:25ecd34, author = {Luca Ebach}, title = {{Analysis Results of Zeus.Variant.Panda}}, date = {2017-06-22}, institution = {G Data}, url = {https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf}, language = {English}, urldate = {2019-12-02} } Analysis Results of Zeus.Variant.Panda
PandaBanker
2017-03-13 ⋅ Manuel K.-B.
@online{kb:20170313:zeus:9a4fbcd, author = {Manuel K.-B.}, title = {{Zeus Panda Webinjects: Don’t trust your eyes}}, date = {2017-03-13}, url = {https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/}, language = {English}, urldate = {2020-01-13} } Zeus Panda Webinjects: Don’t trust your eyes
PandaBanker
2017-02-03 ⋅ Manuel K.-B.
@online{kb:20170203:zeus:02a798a, author = {Manuel K.-B.}, title = {{Zeus Panda Webinjects: a case study}}, date = {2017-02-03}, url = {https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/}, language = {English}, urldate = {2019-11-22} } Zeus Panda Webinjects: a case study
PandaBanker
Yara Rules
[TLP:WHITE] win_pandabanker_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_pandabanker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { e8???????? 85c0 7407 8b36 43 85f6 }
            // n = 6, score = 4900
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   43                   | inc                 ebx
            //   85f6                 | test                esi, esi

        $sequence_1 = { 47 03fd 8bd7 e8???????? }
            // n = 4, score = 4900
            //   47                   | inc                 edi
            //   03fd                 | add                 edi, ebp
            //   8bd7                 | mov                 edx, edi
            //   e8????????           |                     

        $sequence_2 = { 85c0 7509 40 89470c }
            // n = 4, score = 4900
            //   85c0                 | test                eax, eax
            //   7509                 | jne                 0xb
            //   40                   | inc                 eax
            //   89470c               | mov                 dword ptr [edi + 0xc], eax

        $sequence_3 = { 51 33c9 b201 41 e8???????? c20400 ff742404 }
            // n = 7, score = 4900
            //   51                   | push                ecx
            //   33c9                 | xor                 ecx, ecx
            //   b201                 | mov                 dl, 1
            //   41                   | inc                 ecx
            //   e8????????           |                     
            //   c20400               | ret                 4
            //   ff742404             | push                dword ptr [esp + 4]

        $sequence_4 = { e8???????? 8b5c2410 8bcb 8b542428 895c2410 e8???????? 8bce }
            // n = 7, score = 4900
            //   e8????????           |                     
            //   8b5c2410             | mov                 ebx, dword ptr [esp + 0x10]
            //   8bcb                 | mov                 ecx, ebx
            //   8b542428             | mov                 edx, dword ptr [esp + 0x28]
            //   895c2410             | mov                 dword ptr [esp + 0x10], ebx
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi

        $sequence_5 = { 83c020 eb03 0fb6c0 8a0a 80f941 720d 80f95a }
            // n = 7, score = 4900
            //   83c020               | add                 eax, 0x20
            //   eb03                 | jmp                 5
            //   0fb6c0               | movzx               eax, al
            //   8a0a                 | mov                 cl, byte ptr [edx]
            //   80f941               | cmp                 cl, 0x41
            //   720d                 | jb                  0xf
            //   80f95a               | cmp                 cl, 0x5a

        $sequence_6 = { 40 0bc8 47 8a07 }
            // n = 4, score = 4900
            //   40                   | inc                 eax
            //   0bc8                 | or                  ecx, eax
            //   47                   | inc                 edi
            //   8a07                 | mov                 al, byte ptr [edi]

        $sequence_7 = { 8b742414 8be9 896c240c 8bda 57 83feff 7509 }
            // n = 7, score = 4900
            //   8b742414             | mov                 esi, dword ptr [esp + 0x14]
            //   8be9                 | mov                 ebp, ecx
            //   896c240c             | mov                 dword ptr [esp + 0xc], ebp
            //   8bda                 | mov                 ebx, edx
            //   57                   | push                edi
            //   83feff               | cmp                 esi, -1
            //   7509                 | jne                 0xb

        $sequence_8 = { 40 89470c 894714 ebc2 8a06 3c22 750b }
            // n = 7, score = 4900
            //   40                   | inc                 eax
            //   89470c               | mov                 dword ptr [edi + 0xc], eax
            //   894714               | mov                 dword ptr [edi + 0x14], eax
            //   ebc2                 | jmp                 0xffffffc4
            //   8a06                 | mov                 al, byte ptr [esi]
            //   3c22                 | cmp                 al, 0x22
            //   750b                 | jne                 0xd

        $sequence_9 = { c6020a 8d4dff 42 b009 8bfa f3aa }
            // n = 6, score = 4900
            //   c6020a               | mov                 byte ptr [edx], 0xa
            //   8d4dff               | lea                 ecx, [ebp - 1]
            //   42                   | inc                 edx
            //   b009                 | mov                 al, 9
            //   8bfa                 | mov                 edi, edx
            //   f3aa                 | rep stosb           byte ptr es:[edi], al

    condition:
        7 of them
}
Download all Yara Rules