found by James @James_inthe_box incoming #hancitor run: "Notice from UPS", details coming: Still dropping #pandabanker https://twitter.com/James_inthe_box/status/981911568089661440 https://pastebin.com/ebKNgcqj https://www.hybrid-analysis.com/sample/6cefef0e50aea5c4d5c0f56911704090570b9b1dcdb4f234d5336c40311462b9 ----------- ----------- interesting strings ----------- <?xml ... name="Nullsoft.NSIS.exehead" type="win32"/><description> ... --------- interesting api calls --------- CreateFile C:\Users\xxx\AppData\Local\Temp\upda8ecf17f.bat | push eax | eax:L"\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\xxx\\AppData\\Local\\Temp\\updeb8421b2.bat\"" | call dword ptr ds:[<&CreateProcessW>] | ------- interesting child process ------- Command line: "C:\Windows\system32\cmd.exe" /c "C:\Users\xxx\AppData\Local\Temp\upda8ecf17f.bat" ------- batch file contents ------- @echo off :d del /F /Q "C:\Users\xxx\Desktop\panda.exe" if exist "C:\Users\xxx\Desktop\panda.exe" goto d del /F "C:\Users\xxx\AppData\Local\Temp\upd40883b35.bat"
Friday, April 6, 2018
pandabanker sample
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment