Friday, April 6, 2018

pandabanker sample

found by James @James_inthe_box
incoming #hancitor run:  "Notice from UPS", details coming:
Still dropping #pandabanker
https://twitter.com/James_inthe_box/status/981911568089661440
https://pastebin.com/ebKNgcqj
https://www.hybrid-analysis.com/sample/6cefef0e50aea5c4d5c0f56911704090570b9b1dcdb4f234d5336c40311462b9

-----------

-----------
interesting strings
-----------
<?xml ... name="Nullsoft.NSIS.exehead" type="win32"/><description> ...


---------
interesting api calls
---------
CreateFile C:\Users\xxx\AppData\Local\Temp\upda8ecf17f.bat
| push eax                                | eax:L"\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\xxx\\AppData\\Local\\Temp\\updeb8421b2.bat\""
| call dword ptr ds:[<&CreateProcessW>]   |
-------
interesting child process
-------
Command line: "C:\Windows\system32\cmd.exe" /c "C:\Users\xxx\AppData\Local\Temp\upda8ecf17f.bat"


-------
batch file contents
-------
@echo off
:d
del /F /Q "C:\Users\xxx\Desktop\panda.exe"
if exist "C:\Users\xxx\Desktop\panda.exe" goto d
del /F "C:\Users\xxx\AppData\Local\Temp\upd40883b35.bat"

No comments:

Post a Comment