SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pandabanker (Back to overview)

PandaBanker

aka: ZeusPanda
URLhaus            

According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.

This banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.

The baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.

Panda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.

References
2020-05-20Youtube (nonepizza)nonepizza
@online{nonepizza:20200520:pandabanker:da5cd3c, author = {nonepizza}, title = {{(PandaBanker Analysis) Fixing Corrupted PE Headers and Unmapping an Executable}}, date = {2020-05-20}, organization = {Youtube (nonepizza)}, url = {https://www.youtube.com/watch?v=J7VOfAJvxEY}, language = {English}, urldate = {2020-05-29} } (PandaBanker Analysis) Fixing Corrupted PE Headers and Unmapping an Executable
PandaBanker
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2018-10-09Github (JR0driguezB)JR0driguezB
@online{jr0driguezb:20181009:malware:89b0393, author = {JR0driguezB}, title = {{Malware Configs - Pandabanker}}, date = {2018-10-09}, organization = {Github (JR0driguezB)}, url = {https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker}, language = {English}, urldate = {2020-01-07} } Malware Configs - Pandabanker
PandaBanker
2018-08-20Vitali Kremez BlogVitali Kremez
@online{kremez:20180820:lets:d3f938c, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Panda Banker & Modules: Webinject, Grabber & Keylogger DLL Modules}}, date = {2018-08-20}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html}, language = {English}, urldate = {2019-10-23} } Let's Learn: Dissecting Panda Banker & Modules: Webinject, Grabber & Keylogger DLL Modules
PandaBanker
2017-12-14ProofpointProofpoint Staff
@online{staff:20171214:zeus:27fa0fe, author = {Proofpoint Staff}, title = {{Zeus Panda Banking Trojan Targets Online Holiday Shoppers}}, date = {2017-12-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers}, language = {English}, urldate = {2019-12-20} } Zeus Panda Banking Trojan Targets Online Holiday Shoppers
PandaBanker
2017-11-02TalosEdmund Brumaghin, Earl Carter, Emmanuel Tacheau
@online{brumaghin:20171102:poisoning:c00599d, author = {Edmund Brumaghin and Earl Carter and Emmanuel Tacheau}, title = {{Poisoning the Well: Banking Trojan Targets Google Search Results}}, date = {2017-11-02}, organization = {Talos}, url = {http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html}, language = {English}, urldate = {2019-11-21} } Poisoning the Well: Banking Trojan Targets Google Search Results
PandaBanker
2017-06-22G DataLuca Ebach
@techreport{ebach:20170622:analysis:25ecd34, author = {Luca Ebach}, title = {{Analysis Results of Zeus.Variant.Panda}}, date = {2017-06-22}, institution = {G Data}, url = {https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf}, language = {English}, urldate = {2019-12-02} } Analysis Results of Zeus.Variant.Panda
PandaBanker
2017-03-13Manuel K.-B.
@online{kb:20170313:zeus:9a4fbcd, author = {Manuel K.-B.}, title = {{Zeus Panda Webinjects: Don’t trust your eyes}}, date = {2017-03-13}, url = {https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/}, language = {English}, urldate = {2020-01-13} } Zeus Panda Webinjects: Don’t trust your eyes
PandaBanker
2017-02-03Manuel K.-B.
@online{kb:20170203:zeus:02a798a, author = {Manuel K.-B.}, title = {{Zeus Panda Webinjects: a case study}}, date = {2017-02-03}, url = {https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/}, language = {English}, urldate = {2019-11-22} } Zeus Panda Webinjects: a case study
PandaBanker
Yara Rules
[TLP:WHITE] win_pandabanker_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_pandabanker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b442404 53 8bd9 56 8bf2 57 }
            // n = 6, score = 8500
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   53                   | push                ebx
            //   8bd9                 | mov                 ebx, ecx
            //   56                   | push                esi
            //   8bf2                 | mov                 esi, edx
            //   57                   | push                edi

        $sequence_1 = { 85c0 7411 45 83c304 3b6f18 72de }
            // n = 6, score = 8500
            //   85c0                 | test                eax, eax
            //   7411                 | je                  0x13
            //   45                   | inc                 ebp
            //   83c304               | add                 ebx, 4
            //   3b6f18               | cmp                 ebp, dword ptr [edi + 0x18]
            //   72de                 | jb                  0xffffffe0

        $sequence_2 = { 8bf9 8d8df4fdffff 8bd7 8d5e2c 53 }
            // n = 5, score = 8500
            //   8bf9                 | mov                 edi, ecx
            //   8d8df4fdffff         | lea                 ecx, [ebp - 0x20c]
            //   8bd7                 | mov                 edx, edi
            //   8d5e2c               | lea                 ebx, [esi + 0x2c]
            //   53                   | push                ebx

        $sequence_3 = { 6a00 ff742434 893c08 8b4c2424 e8???????? }
            // n = 5, score = 8500
            //   6a00                 | push                0
            //   ff742434             | push                dword ptr [esp + 0x34]
            //   893c08               | mov                 dword ptr [eax + ecx], edi
            //   8b4c2424             | mov                 ecx, dword ptr [esp + 0x24]
            //   e8????????           |                     

        $sequence_4 = { 8be9 56 57 33ff 896c2414 8b7508 8bdf }
            // n = 7, score = 8500
            //   8be9                 | mov                 ebp, ecx
            //   56                   | push                esi
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   896c2414             | mov                 dword ptr [esp + 0x14], ebp
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8bdf                 | mov                 ebx, edi

        $sequence_5 = { 8d7808 6a08 03fd 8bca }
            // n = 4, score = 8500
            //   8d7808               | lea                 edi, [eax + 8]
            //   6a08                 | push                8
            //   03fd                 | add                 edi, ebp
            //   8bca                 | mov                 ecx, edx

        $sequence_6 = { 8bce 50 e8???????? 8b7c2424 84c0 744e ff742428 }
            // n = 7, score = 8500
            //   8bce                 | mov                 ecx, esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b7c2424             | mov                 edi, dword ptr [esp + 0x24]
            //   84c0                 | test                al, al
            //   744e                 | je                  0x50
            //   ff742428             | push                dword ptr [esp + 0x28]

        $sequence_7 = { 85c0 8a442416 7410 8a4c2417 fec1 884c2417 }
            // n = 6, score = 8500
            //   85c0                 | test                eax, eax
            //   8a442416             | mov                 al, byte ptr [esp + 0x16]
            //   7410                 | je                  0x12
            //   8a4c2417             | mov                 cl, byte ptr [esp + 0x17]
            //   fec1                 | inc                 cl
            //   884c2417             | mov                 byte ptr [esp + 0x17], cl

        $sequence_8 = { e8???????? 8d4dec 8933 8bf8 }
            // n = 4, score = 8500
            //   e8????????           |                     
            //   8d4dec               | lea                 ecx, [ebp - 0x14]
            //   8933                 | mov                 dword ptr [ebx], esi
            //   8bf8                 | mov                 edi, eax

        $sequence_9 = { 3c5c 7404 33c0 eb03 }
            // n = 4, score = 8500
            //   3c5c                 | cmp                 al, 0x5c
            //   7404                 | je                  6
            //   33c0                 | xor                 eax, eax
            //   eb03                 | jmp                 5

    condition:
        7 of them and filesize < 417792
}
Download all Yara Rules