SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pandabanker (Back to overview)

PandaBanker

aka: ZeusPanda
URLhaus            

According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.

This banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.

The baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.

Panda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.

References
2020-05-20Youtube (nonepizza)nonepizza
@online{nonepizza:20200520:pandabanker:da5cd3c, author = {nonepizza}, title = {{(PandaBanker Analysis) Fixing Corrupted PE Headers and Unmapping an Executable}}, date = {2020-05-20}, organization = {Youtube (nonepizza)}, url = {https://www.youtube.com/watch?v=J7VOfAJvxEY}, language = {English}, urldate = {2020-05-29} } (PandaBanker Analysis) Fixing Corrupted PE Headers and Unmapping an Executable
PandaBanker
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2018-10-09Github (JR0driguezB)JR0driguezB
@online{jr0driguezb:20181009:malware:89b0393, author = {JR0driguezB}, title = {{Malware Configs - Pandabanker}}, date = {2018-10-09}, organization = {Github (JR0driguezB)}, url = {https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker}, language = {English}, urldate = {2020-01-07} } Malware Configs - Pandabanker
PandaBanker
2018-08-20Vitali Kremez BlogVitali Kremez
@online{kremez:20180820:lets:d3f938c, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Panda Banker & Modules: Webinject, Grabber & Keylogger DLL Modules}}, date = {2018-08-20}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html}, language = {English}, urldate = {2019-10-23} } Let's Learn: Dissecting Panda Banker & Modules: Webinject, Grabber & Keylogger DLL Modules
PandaBanker
2017-12-14ProofpointProofpoint Staff
@online{staff:20171214:zeus:27fa0fe, author = {Proofpoint Staff}, title = {{Zeus Panda Banking Trojan Targets Online Holiday Shoppers}}, date = {2017-12-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers}, language = {English}, urldate = {2019-12-20} } Zeus Panda Banking Trojan Targets Online Holiday Shoppers
PandaBanker
2017-11-02TalosEdmund Brumaghin, Earl Carter, Emmanuel Tacheau
@online{brumaghin:20171102:poisoning:c00599d, author = {Edmund Brumaghin and Earl Carter and Emmanuel Tacheau}, title = {{Poisoning the Well: Banking Trojan Targets Google Search Results}}, date = {2017-11-02}, organization = {Talos}, url = {http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html}, language = {English}, urldate = {2019-11-21} } Poisoning the Well: Banking Trojan Targets Google Search Results
PandaBanker
2017-06-22G DataLuca Ebach
@techreport{ebach:20170622:analysis:25ecd34, author = {Luca Ebach}, title = {{Analysis Results of Zeus.Variant.Panda}}, date = {2017-06-22}, institution = {G Data}, url = {https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf}, language = {English}, urldate = {2019-12-02} } Analysis Results of Zeus.Variant.Panda
PandaBanker
2017-03-13Manuel K.-B.
@online{kb:20170313:zeus:9a4fbcd, author = {Manuel K.-B.}, title = {{Zeus Panda Webinjects: Don’t trust your eyes}}, date = {2017-03-13}, url = {https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/}, language = {English}, urldate = {2020-01-13} } Zeus Panda Webinjects: Don’t trust your eyes
PandaBanker
2017-02-03Manuel K.-B.
@online{kb:20170203:zeus:02a798a, author = {Manuel K.-B.}, title = {{Zeus Panda Webinjects: a case study}}, date = {2017-02-03}, url = {https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/}, language = {English}, urldate = {2019-11-22} } Zeus Panda Webinjects: a case study
PandaBanker
Yara Rules
[TLP:WHITE] win_pandabanker_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_pandabanker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { d0c2 32ca d0c2 32ca d0c2 8ac2 }
            // n = 6, score = 8700
            //   d0c2                 | rol                 dl, 1
            //   32ca                 | xor                 cl, dl
            //   d0c2                 | rol                 dl, 1
            //   32ca                 | xor                 cl, dl
            //   d0c2                 | rol                 dl, 1
            //   8ac2                 | mov                 al, dl

        $sequence_1 = { 2bc1 3be8 0f8c3fffffff 8bd3 }
            // n = 4, score = 8700
            //   2bc1                 | sub                 eax, ecx
            //   3be8                 | cmp                 ebp, eax
            //   0f8c3fffffff         | jl                  0xffffff45
            //   8bd3                 | mov                 edx, ebx

        $sequence_2 = { 8b06 8bcb 2b4f04 8d7604 03ca }
            // n = 5, score = 8700
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8bcb                 | mov                 ecx, ebx
            //   2b4f04               | sub                 ecx, dword ptr [edi + 4]
            //   8d7604               | lea                 esi, [esi + 4]
            //   03ca                 | add                 ecx, edx

        $sequence_3 = { 41 84c0 75f9 2bce 5e 8d040a }
            // n = 6, score = 8700
            //   41                   | inc                 ecx
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb
            //   2bce                 | sub                 ecx, esi
            //   5e                   | pop                 esi
            //   8d040a               | lea                 eax, [edx + ecx]

        $sequence_4 = { 57 8ac1 80e10f c0e804 }
            // n = 4, score = 8700
            //   57                   | push                edi
            //   8ac1                 | mov                 al, cl
            //   80e10f               | and                 cl, 0xf
            //   c0e804               | shr                 al, 4

        $sequence_5 = { 42 89848f1c020000 3b5704 7ce7 8b4f04 8be9 }
            // n = 6, score = 8700
            //   42                   | inc                 edx
            //   89848f1c020000       | mov                 dword ptr [edi + ecx*4 + 0x21c], eax
            //   3b5704               | cmp                 edx, dword ptr [edi + 4]
            //   7ce7                 | jl                  0xffffffe9
            //   8b4f04               | mov                 ecx, dword ptr [edi + 4]
            //   8be9                 | mov                 ebp, ecx

        $sequence_6 = { 03c6 8b44873c 3342fc 41 8902 83c204 }
            // n = 6, score = 8700
            //   03c6                 | add                 eax, esi
            //   8b44873c             | mov                 eax, dword ptr [edi + eax*4 + 0x3c]
            //   3342fc               | xor                 eax, dword ptr [edx - 4]
            //   41                   | inc                 ecx
            //   8902                 | mov                 dword ptr [edx], eax
            //   83c204               | add                 edx, 4

        $sequence_7 = { e8???????? 83c410 83c605 eb22 c6065c eb1c }
            // n = 6, score = 8700
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   83c605               | add                 esi, 5
            //   eb22                 | jmp                 0x24
            //   c6065c               | mov                 byte ptr [esi], 0x5c
            //   eb1c                 | jmp                 0x1e

        $sequence_8 = { 83c8ff c3 53 8b5c2408 32c0 56 57 }
            // n = 7, score = 7800
            //   83c8ff               | or                  eax, 0xffffffff
            //   c3                   | ret                 
            //   53                   | push                ebx
            //   8b5c2408             | mov                 ebx, dword ptr [esp + 8]
            //   32c0                 | xor                 al, al
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_9 = { eb05 83caff 8bc2 8be5 5d }
            // n = 5, score = 6300
            //   eb05                 | jmp                 7
            //   83caff               | or                  edx, 0xffffffff
            //   8bc2                 | mov                 eax, edx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_10 = { 6a03 57 6a01 58 6a07 }
            // n = 5, score = 4000
            //   6a03                 | push                3
            //   57                   | push                edi
            //   6a01                 | push                1
            //   58                   | pop                 eax
            //   6a07                 | push                7

        $sequence_11 = { 56 0f95c3 ff15???????? 56 }
            // n = 4, score = 2400
            //   56                   | push                esi
            //   0f95c3               | setne               bl
            //   ff15????????         |                     
            //   56                   | push                esi

        $sequence_12 = { 56 53 ff15???????? c64433ff00 }
            // n = 4, score = 2400
            //   56                   | push                esi
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   c64433ff00           | mov                 byte ptr [ebx + esi - 1], 0

        $sequence_13 = { 8ac3 5b 59 c20400 55 8bec 51 }
            // n = 7, score = 2400
            //   8ac3                 | mov                 al, bl
            //   5b                   | pop                 ebx
            //   59                   | pop                 ecx
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx

        $sequence_14 = { 5e c3 53 8b5c240c 32c0 }
            // n = 5, score = 2400
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   53                   | push                ebx
            //   8b5c240c             | mov                 ebx, dword ptr [esp + 0xc]
            //   32c0                 | xor                 al, al

        $sequence_15 = { 53 56 8b7508 0f57c0 57 6a00 0f1145f0 }
            // n = 7, score = 1300
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   0f57c0               | xorps               xmm0, xmm0
            //   57                   | push                edi
            //   6a00                 | push                0
            //   0f1145f0             | movups              xmmword ptr [ebp - 0x10], xmm0

        $sequence_16 = { 57 8945ec 7518 f605????????01 740f }
            // n = 5, score = 1300
            //   57                   | push                edi
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   7518                 | jne                 0x1a
            //   f605????????01       |                     
            //   740f                 | je                  0x11

        $sequence_17 = { 99 898508fcffff 8b4704 89950cfcffff 99 }
            // n = 5, score = 1300
            //   99                   | cdq                 
            //   898508fcffff         | mov                 dword ptr [ebp - 0x3f8], eax
            //   8b4704               | mov                 eax, dword ptr [edi + 4]
            //   89950cfcffff         | mov                 dword ptr [ebp - 0x3f4], edx
            //   99                   | cdq                 

        $sequence_18 = { 81c304010000 e8???????? 53 e8???????? }
            // n = 4, score = 1300
            //   81c304010000         | add                 ebx, 0x104
            //   e8????????           |                     
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_19 = { 83ec14 53 8b5d0c 56 57 8b733c 03f3 }
            // n = 7, score = 1300
            //   83ec14               | sub                 esp, 0x14
            //   53                   | push                ebx
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b733c               | mov                 esi, dword ptr [ebx + 0x3c]
            //   03f3                 | add                 esi, ebx

        $sequence_20 = { 7517 f605????????01 740e 8b4508 ff30 53 }
            // n = 6, score = 1300
            //   7517                 | jne                 0x19
            //   f605????????01       |                     
            //   740e                 | je                  0x10
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   ff30                 | push                dword ptr [eax]
            //   53                   | push                ebx

        $sequence_21 = { c3 55 8bec 83ec0c 6a40 33c9 }
            // n = 6, score = 1300
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec0c               | sub                 esp, 0xc
            //   6a40                 | push                0x40
            //   33c9                 | xor                 ecx, ecx

        $sequence_22 = { 55 8bec 81ecd0020000 56 57 68c8020000 33f6 }
            // n = 7, score = 1300
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ecd0020000         | sub                 esp, 0x2d0
            //   56                   | push                esi
            //   57                   | push                edi
            //   68c8020000           | push                0x2c8
            //   33f6                 | xor                 esi, esi

        $sequence_23 = { 8b450c 5f 5e 5b 5d c20c00 837c240801 }
            // n = 7, score = 400
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp
            //   c20c00               | ret                 0xc
            //   837c240801           | cmp                 dword ptr [esp + 8], 1

        $sequence_24 = { c20c00 837c240801 7513 833d????????00 }
            // n = 4, score = 400
            //   c20c00               | ret                 0xc
            //   837c240801           | cmp                 dword ptr [esp + 8], 1
            //   7513                 | jne                 0x15
            //   833d????????00       |                     

        $sequence_25 = { 8325????????00 59 56 ff15???????? }
            // n = 4, score = 300
            //   8325????????00       |                     
            //   59                   | pop                 ecx
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_26 = { c3 56 be???????? 56 ff15???????? ff35???????? }
            // n = 6, score = 300
            //   c3                   | ret                 
            //   56                   | push                esi
            //   be????????           |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   ff35????????         |                     

        $sequence_27 = { c3 55 8bec 53 56 bb???????? 53 }
            // n = 7, score = 300
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   56                   | push                esi
            //   bb????????           |                     
            //   53                   | push                ebx

        $sequence_28 = { ffd6 894590 397df8 0f84c9030000 397db0 }
            // n = 5, score = 200
            //   ffd6                 | call                esi
            //   894590               | mov                 dword ptr [ebp - 0x70], eax
            //   397df8               | cmp                 dword ptr [ebp - 8], edi
            //   0f84c9030000         | je                  0x3cf
            //   397db0               | cmp                 dword ptr [ebp - 0x50], edi

        $sequence_29 = { ff35???????? ff15???????? 830d????????ff 56 ff15???????? 5e c3 }
            // n = 7, score = 200
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   830d????????ff       |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   5e                   | pop                 esi
            //   c3                   | ret                 

    condition:
        7 of them and filesize < 417792
}
Download all Yara Rules