SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pandabanker (Back to overview)

PandaBanker

aka: ZeusPanda
URLhaus            

According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.

This banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.

The baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.

Panda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.

References
2020-05-20Youtube (nonepizza)nonepizza
@online{nonepizza:20200520:pandabanker:da5cd3c, author = {nonepizza}, title = {{(PandaBanker Analysis) Fixing Corrupted PE Headers and Unmapping an Executable}}, date = {2020-05-20}, organization = {Youtube (nonepizza)}, url = {https://www.youtube.com/watch?v=J7VOfAJvxEY}, language = {English}, urldate = {2020-05-29} } (PandaBanker Analysis) Fixing Corrupted PE Headers and Unmapping an Executable
PandaBanker
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2018-10-09Github (JR0driguezB)JR0driguezB
@online{jr0driguezb:20181009:malware:89b0393, author = {JR0driguezB}, title = {{Malware Configs - Pandabanker}}, date = {2018-10-09}, organization = {Github (JR0driguezB)}, url = {https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker}, language = {English}, urldate = {2020-01-07} } Malware Configs - Pandabanker
PandaBanker
2018-08-20Vitali Kremez BlogVitali Kremez
@online{kremez:20180820:lets:d3f938c, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Panda Banker & Modules: Webinject, Grabber & Keylogger DLL Modules}}, date = {2018-08-20}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html}, language = {English}, urldate = {2019-10-23} } Let's Learn: Dissecting Panda Banker & Modules: Webinject, Grabber & Keylogger DLL Modules
PandaBanker
2017-12-14ProofpointProofpoint Staff
@online{staff:20171214:zeus:27fa0fe, author = {Proofpoint Staff}, title = {{Zeus Panda Banking Trojan Targets Online Holiday Shoppers}}, date = {2017-12-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers}, language = {English}, urldate = {2019-12-20} } Zeus Panda Banking Trojan Targets Online Holiday Shoppers
PandaBanker
2017-11-02TalosEdmund Brumaghin, Earl Carter, Emmanuel Tacheau
@online{brumaghin:20171102:poisoning:c00599d, author = {Edmund Brumaghin and Earl Carter and Emmanuel Tacheau}, title = {{Poisoning the Well: Banking Trojan Targets Google Search Results}}, date = {2017-11-02}, organization = {Talos}, url = {http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html}, language = {English}, urldate = {2019-11-21} } Poisoning the Well: Banking Trojan Targets Google Search Results
PandaBanker
2017-06-22G DataLuca Ebach
@techreport{ebach:20170622:analysis:25ecd34, author = {Luca Ebach}, title = {{Analysis Results of Zeus.Variant.Panda}}, date = {2017-06-22}, institution = {G Data}, url = {https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf}, language = {English}, urldate = {2019-12-02} } Analysis Results of Zeus.Variant.Panda
PandaBanker
2017-03-13Manuel K.-B.
@online{kb:20170313:zeus:9a4fbcd, author = {Manuel K.-B.}, title = {{Zeus Panda Webinjects: Don’t trust your eyes}}, date = {2017-03-13}, url = {https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/}, language = {English}, urldate = {2020-01-13} } Zeus Panda Webinjects: Don’t trust your eyes
PandaBanker
2017-02-03Manuel K.-B.
@online{kb:20170203:zeus:02a798a, author = {Manuel K.-B.}, title = {{Zeus Panda Webinjects: a case study}}, date = {2017-02-03}, url = {https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/}, language = {English}, urldate = {2019-11-22} } Zeus Panda Webinjects: a case study
PandaBanker
Yara Rules
[TLP:WHITE] win_pandabanker_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_pandabanker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8bf0 85f6 746d 8b470c 25fffeffff }
            // n = 6, score = 8500
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   746d                 | je                  0x6f
            //   8b470c               | mov                 eax, dword ptr [edi + 0xc]
            //   25fffeffff           | and                 eax, 0xfffffeff

        $sequence_1 = { c3 53 8bda 56 8bf1 803b00 }
            // n = 6, score = 8500
            //   c3                   | ret                 
            //   53                   | push                ebx
            //   8bda                 | mov                 ebx, edx
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   803b00               | cmp                 byte ptr [ebx], 0

        $sequence_2 = { 895804 eb03 894608 8b3f 8bd8 85ff 75dc }
            // n = 7, score = 8500
            //   895804               | mov                 dword ptr [eax + 4], ebx
            //   eb03                 | jmp                 5
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   8b3f                 | mov                 edi, dword ptr [edi]
            //   8bd8                 | mov                 ebx, eax
            //   85ff                 | test                edi, edi
            //   75dc                 | jne                 0xffffffde

        $sequence_3 = { e8???????? 8be8 85ed 7443 8b44240c 8bd5 57 }
            // n = 7, score = 8500
            //   e8????????           |                     
            //   8be8                 | mov                 ebp, eax
            //   85ed                 | test                ebp, ebp
            //   7443                 | je                  0x45
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   8bd5                 | mov                 edx, ebp
            //   57                   | push                edi

        $sequence_4 = { 33db e8???????? 8be8 896c2410 85ed }
            // n = 5, score = 8500
            //   33db                 | xor                 ebx, ebx
            //   e8????????           |                     
            //   8be8                 | mov                 ebp, eax
            //   896c2410             | mov                 dword ptr [esp + 0x10], ebp
            //   85ed                 | test                ebp, ebp

        $sequence_5 = { e8???????? 8344241004 43 894500 8d6d04 3b5f04 }
            // n = 6, score = 8500
            //   e8????????           |                     
            //   8344241004           | add                 dword ptr [esp + 0x10], 4
            //   43                   | inc                 ebx
            //   894500               | mov                 dword ptr [ebp], eax
            //   8d6d04               | lea                 ebp, [ebp + 4]
            //   3b5f04               | cmp                 ebx, dword ptr [edi + 4]

        $sequence_6 = { 8bc2 33ed 89442410 894c240c 8a9f00010000 8abf01010000 }
            // n = 6, score = 8500
            //   8bc2                 | mov                 eax, edx
            //   33ed                 | xor                 ebp, ebp
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   894c240c             | mov                 dword ptr [esp + 0xc], ecx
            //   8a9f00010000         | mov                 bl, byte ptr [edi + 0x100]
            //   8abf01010000         | mov                 bh, byte ptr [edi + 0x101]

        $sequence_7 = { c1e204 3c30 7c09 3c39 7f05 83c2d0 eb18 }
            // n = 7, score = 8500
            //   c1e204               | shl                 edx, 4
            //   3c30                 | cmp                 al, 0x30
            //   7c09                 | jl                  0xb
            //   3c39                 | cmp                 al, 0x39
            //   7f05                 | jg                  7
            //   83c2d0               | add                 edx, -0x30
            //   eb18                 | jmp                 0x1a

        $sequence_8 = { e8???????? 8b5c2414 8bcf e8???????? 8b4c2418 e8???????? 8b4c241c }
            // n = 7, score = 8500
            //   e8????????           |                     
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]
            //   e8????????           |                     
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]

        $sequence_9 = { 21470c 8d4605 ebc1 6a04 }
            // n = 4, score = 8500
            //   21470c               | and                 dword ptr [edi + 0xc], eax
            //   8d4605               | lea                 eax, [esi + 5]
            //   ebc1                 | jmp                 0xffffffc3
            //   6a04                 | push                4

    condition:
        7 of them and filesize < 417792
}
Download all Yara Rules