Suspected Zeus Panda Banking Trojan | VMRay Analyzer Report
Try VMRay Analyzer
Analysis Information
Creation Time 2017-11-30 15:34 (UTC+1)
VM Analysis Duration Time 00:15:29
Execution Successful True
Sample Filename zeuspanda.vir.exe
Command Line Parameters False
Prescript False
Number of Processes 13
Termination Reason Timeout
Reputation Enabled True
Download Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON
VTI Information
VTI Score
95 / 100
VTI Database Version 2.6
VTI Rule Match Count 93
VTI Rule Type Default (PE, ...)
Tags
#trojan #malware #evasion
Remarks
Critical The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration.
Critical The operating system was rebooted during the analysis.
Critical The maximum number of dumps was reached during the analysis. Some memory dumps may be missing in the reports. You can increase the limit in the configuration.
Critical The overall sleep time of all monitored processes was truncated from 1 minute to 10 seconds to reveal dormant functionality.
Screenshots
Monitored Processes
Process Graph


ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xfc0 Analysis Target High (Elevated) zeuspanda.vir.exe "C:\Users\CIiHmnxMn6Ps\Desktop\zeuspanda.vir.exe" -
#2 0xd34 Child Process High (Elevated) containers.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe" #1
#3 0xd2c Child Process High (Elevated) cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\CIIHMN~1\AppData\Local\Temp\upd7d80021e.bat" #1
#5 0xa88 Child Process High (Elevated) svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs #2
#6 0xea0 Child Process High (Elevated) svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs #2
#7 0x920 Autostart Medium containers.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe" -
#8 0xad8 Child Process Medium svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs #7
#9 0x4e4 Child Process Medium svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs #7
#12 0xa44 Child Process Medium updee12df24.exe "C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe" -update #8
#13 0x1a4 Child Process Medium containers.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe" #12
#14 0xf7c Child Process Medium cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\CIIHMN~1\AppData\Local\Temp\upd3171fe7c.bat" #12
#16 0xd84 Child Process Medium svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs #13
#17 0x3d0 Child Process Medium svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs #13
Sample Information
ID #20389
MD5 Hash Value c9522f83c60a595694b2e4c6657982d0
SHA1 Hash Value 8011fd0a959b7d17696306c4ab36c4974540cada
SHA256 Hash Value b34abadaa54fa828fc3d1b1540004f5dd94873918d5b3f2a3eab49272b67415b
Filename zeuspanda.vir.exe
File Size 395.00 KB (404480 bytes)
File Type Windows Exe (x86-32)
Analyzer and Virtual Machine Information
Analyzer Version 2.2.0
Analyzer Build Date 2017-10-17 16:08
Internet Explorer Version 11.0.10240.16384
Chrome Version 58.0.3029.110
Firefox Version 53.0.3
Flash Version 25.0.0.148
Java Version 8.0.1310.11
VM Name win10_64
VM Architecture x86 64-bit
VM OS Windows 10 Threshold 1
VM Kernel Version 10.0.10240.16384 (c68ee22f-dcf6-4778-95c5-4a862be16567)
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image