win.pandabanker (Back to overview)

PandaBanker

aka: ZeusPanda
URLhaus            

According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.

This banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.

The baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.

Panda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.

References
https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker
https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/
https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers
https://www.proofpoint.com/tw/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market
https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media
https://www.arbornetworks.com/blog/asert/panda-bankers-future-dga/
https://www.spamhaus.org/news/article/771/
https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html
http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html
https://blogs.forcepoint.com/security-labs/zeus-panda-delivered-sundown-targets-uk-banks
https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/
https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf
https://www.arbornetworks.com/blog/asert/let-pandas-zeus-zeus-zeus-zeus/
http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html
https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/
Yara Rules
[TLP:WHITE] win_pandabanker_auto (20190620 | autogenerated rule brought to you by yara-signator)
rule win_pandabanker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-07-05"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker"
        malpedia_version = "20190620"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 40 85ed 74?? c60020 40 }
            // n = 5, score = 8600
            //   40                   | inc                 eax
            //   85ed                 | test                ebp, ebp
            //   74??                 |                     
            //   c60020               | mov                 byte ptr [eax], 0x20
            //   40                   | inc                 eax

        $sequence_1 = { 0f8????????? 33d2 395704 7e?? 8d773c 8b06 8bcb }
            // n = 7, score = 8600
            //   0f8?????????         |                     
            //   33d2                 | xor                 edx, edx
            //   395704               | cmp                 dword ptr [edi + 4], edx
            //   7e??                 |                     
            //   8d773c               | lea                 esi, [edi + 0x3c]
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8bcb                 | mov                 ecx, ebx

        $sequence_2 = { c60722 8d7701 eb?? 8a03 }
            // n = 4, score = 8600
            //   c60722               | mov                 byte ptr [edi], 0x22
            //   8d7701               | lea                 esi, [edi + 1]
            //   eb??                 |                     
            //   8a03                 | mov                 al, byte ptr [ebx]

        $sequence_3 = { 8b06 2bcb 03ca 8d7604 }
            // n = 4, score = 8600
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   2bcb                 | sub                 ecx, ebx
            //   03ca                 | add                 ecx, edx
            //   8d7604               | lea                 esi, [esi + 4]

        $sequence_4 = { 83c720 eb?? 0fbefb 3bf7 }
            // n = 4, score = 8600
            //   83c720               | add                 edi, 0x20
            //   eb??                 |                     
            //   0fbefb               | movsx               edi, bl
            //   3bf7                 | cmp                 esi, edi

        $sequence_5 = { eb?? 8d5740 8d14b2 8d0431 3bc3 }
            // n = 5, score = 8600
            //   eb??                 |                     
            //   8d5740               | lea                 edx, [edi + 0x40]
            //   8d14b2               | lea                 edx, [edx + esi*4]
            //   8d0431               | lea                 eax, [ecx + esi]
            //   3bc3                 | cmp                 eax, ebx

        $sequence_6 = { 2b4f04 8d7604 03ca 42 89848f1c020000 3b5704 7c?? }
            // n = 7, score = 8600
            //   2b4f04               | sub                 ecx, dword ptr [edi + 4]
            //   8d7604               | lea                 esi, [esi + 4]
            //   03ca                 | add                 ecx, edx
            //   42                   | inc                 edx
            //   89848f1c020000       | mov                 dword ptr [edi + ecx*4 + 0x21c], eax
            //   3b5704               | cmp                 edx, dword ptr [edi + 4]
            //   7c??                 |                     

        $sequence_7 = { c6065c 46 8a03 43 0fb6c8 8bc1 }
            // n = 6, score = 8600
            //   c6065c               | mov                 byte ptr [esi], 0x5c
            //   46                   | inc                 esi
            //   8a03                 | mov                 al, byte ptr [ebx]
            //   43                   | inc                 ebx
            //   0fb6c8               | movzx               ecx, al
            //   8bc1                 | mov                 eax, ecx

        $sequence_8 = { c3 53 8b5c2408 32c0 56 57 }
            // n = 6, score = 7700
            //   c3                   | ret                 
            //   53                   | push                ebx
            //   8b5c2408             | mov                 ebx, dword ptr [esp + 8]
            //   32c0                 | xor                 al, al
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_9 = { 53 8b5c2408 32c0 56 57 }
            // n = 5, score = 7700
            //   53                   | push                ebx
            //   8b5c2408             | mov                 ebx, dword ptr [esp + 8]
            //   32c0                 | xor                 al, al
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_10 = { 8b5c2408 32c0 56 57 }
            // n = 4, score = 7700
            //   8b5c2408             | mov                 ebx, dword ptr [esp + 8]
            //   32c0                 | xor                 al, al
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_11 = { c3 53 8b5c2408 32c0 }
            // n = 4, score = 7700
            //   c3                   | ret                 
            //   53                   | push                ebx
            //   8b5c2408             | mov                 ebx, dword ptr [esp + 8]
            //   32c0                 | xor                 al, al

        $sequence_12 = { 83c8ff c3 53 8b5c2408 32c0 56 57 }
            // n = 7, score = 7700
            //   83c8ff               | or                  eax, 0xffffffff
            //   c3                   | ret                 
            //   53                   | push                ebx
            //   8b5c2408             | mov                 ebx, dword ptr [esp + 8]
            //   32c0                 | xor                 al, al
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_13 = { c3 53 8b5c2408 32c0 56 }
            // n = 5, score = 7700
            //   c3                   | ret                 
            //   53                   | push                ebx
            //   8b5c2408             | mov                 ebx, dword ptr [esp + 8]
            //   32c0                 | xor                 al, al
            //   56                   | push                esi

        $sequence_14 = { 53 8b5c2408 32c0 56 }
            // n = 4, score = 7700
            //   53                   | push                ebx
            //   8b5c2408             | mov                 ebx, dword ptr [esp + 8]
            //   32c0                 | xor                 al, al
            //   56                   | push                esi

        $sequence_15 = { 8d45f8 8975fc 50 8d45fc 8975f8 }
            // n = 5, score = 5000
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   50                   | push                eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   8975f8               | mov                 dword ptr [ebp - 8], esi

        $sequence_16 = { 8975fc 50 8d45fc 8975f8 50 }
            // n = 5, score = 5000
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   50                   | push                eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   50                   | push                eax

        $sequence_17 = { 8975fc 50 8d45fc 8975f8 }
            // n = 4, score = 5000
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   50                   | push                eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   8975f8               | mov                 dword ptr [ebp - 8], esi

        $sequence_18 = { 8d45f8 8975fc 50 8d45fc 8975f8 50 }
            // n = 6, score = 5000
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   50                   | push                eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   50                   | push                eax

        $sequence_19 = { 56 0f95c3 ff15???????? 56 }
            // n = 4, score = 2400
            //   56                   | push                esi
            //   0f95c3               | setne               bl
            //   ff15????????         |                     
            //   56                   | push                esi

        $sequence_20 = { 56 0f95c3 ff15???????? 56 ff15???????? }
            // n = 5, score = 2400
            //   56                   | push                esi
            //   0f95c3               | setne               bl
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_21 = { 0f95c3 ff15???????? 56 ff15???????? }
            // n = 4, score = 2400
            //   0f95c3               | setne               bl
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_22 = { 8b4638 6a04 8945d0 5f 894dfc }
            // n = 5, score = 2300
            //   8b4638               | mov                 eax, dword ptr [esi + 0x38]
            //   6a04                 | push                4
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   5f                   | pop                 edi
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx

        $sequence_23 = { f7d0 23d0 8b450c 03570c }
            // n = 4, score = 2300
            //   f7d0                 | not                 eax
            //   23d0                 | and                 edx, eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   03570c               | add                 edx, dword ptr [edi + 0xc]

        $sequence_24 = { ff700c ff7008 e8???????? 83c420 85c0 0f8????????? ff7704 }
            // n = 7, score = 2300
            //   ff700c               | push                dword ptr [eax + 0xc]
            //   ff7008               | push                dword ptr [eax + 8]
            //   e8????????           |                     
            //   83c420               | add                 esp, 0x20
            //   85c0                 | test                eax, eax
            //   0f8?????????         |                     
            //   ff7704               | push                dword ptr [edi + 4]

        $sequence_25 = { 83fbff 74?? 56 56 ff75fc }
            // n = 5, score = 2300
            //   83fbff               | cmp                 ebx, -1
            //   74??                 |                     
            //   56                   | push                esi
            //   56                   | push                esi
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_26 = { e8???????? 8b45f8 ff750c 03c7 }
            // n = 4, score = 2300
            //   e8????????           |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   03c7                 | add                 eax, edi

        $sequence_27 = { 50 51 51 51 68ff031f00 }
            // n = 5, score = 2300
            //   50                   | push                eax
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   68ff031f00           | push                0x1f03ff

        $sequence_28 = { 51 6a30 8d4da0 51 53 ff7508 }
            // n = 6, score = 2300
            //   51                   | push                ecx
            //   6a30                 | push                0x30
            //   8d4da0               | lea                 ecx, [ebp - 0x60]
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_29 = { 6a08 5a 33c0 8d7d88 }
            // n = 4, score = 2300
            //   6a08                 | push                8
            //   5a                   | pop                 edx
            //   33c0                 | xor                 eax, eax
            //   8d7d88               | lea                 edi, [ebp - 0x78]

        $sequence_30 = { 5d c20c00 837c240801 75?? 833d?????????? }
            // n = 5, score = 400
            //   5d                   | pop                 ebp
            //   c20c00               | ret                 0xc
            //   837c240801           | cmp                 dword ptr [esp + 8], 1
            //   75??                 |                     
            //   833d??????????       |                     

    condition:
        7 of them
}
Download all Yara Rules