2017-02-21 - ZEUS PANDA BANKER INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-02-21-Zeus-Panda-Banker-infection-traffic.pcap.zip   732.5 kB (732,472 bytes)

• 2017-02-21-Zeus-Panda-Banker-infection-traffic.pcap   (914,342 bytes)

• 2017-02-21-Zeus-Panda-Banker-emails-and-malware.zip   354.5 kB (354,515 bytes)

• 2017-02-21-Zeus-Panda-Banker-malspam-1241-UTC.eml   (27,574 bytes)
• 2017-02-21-Zeus-Panda-Banker-malspam-1254-UTC.eml   (27,593 bytes)
• 2017-02-21-Zeus-Panda-Banker-malspam-1259-UTC.eml   (27,228 bytes)
• daticert.xml informazioni .zip   (16,416 bytes)
• daticert.certificata.xml.js   (40,436 bytes)
• posta certificata.eml.js   (37,593 bytes)
• liber.exe   (396,288 bytes)

 

EMAIL

DESCRIPTION:

• Malicious spam (malspam) with an attached ZIP archive containing .JS files designed to infect a Windows host with Zeus Panda Banker malware.
• Saw similar malware yesterday from a differently-themed email with a link to the ZIP archive instead of an attachment.

Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

• Subject:  POSTA CERTIFICATA: ENELENERGIA - EMISSIONE BOLLETTA PEC
• Date:  Tuesday 2017-02-21 12:41:58 UTC
• From:  "Per conto di: no-reply.enelenergia@pec.enel[.]it" <posta-certificata@legalmail[.]it>
• Message-ID:  <F600A479.1FFC5F50.D6827286.90596CFB.posta-certificata@legalmail[.]it>

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 172.86.120[.]157 port 80 - slversstrom[.]site - GET /liber.exe
• 54.172.165[.]34 port 443 - gloverkentok[.]us - HTTPS/SSL/TLS traffic

 

FILE HASHES

EMAIL ATTACHMENT (ZIP ARCHIVE):

• SHA256 hash:  2da0365c5a93ec9d273a906e44e194be5bd245c7948b2103994eec3d17744592
• File name:  daticert.xml informazioni .zip

.JS FILE EXTRACTED FROM ZIP ARCHIVE (1 OF 2):

• SHA256 hash:  e9a6008c47a73007d4df74b5dcebdce382f512cd2bddc8c18ce220e21d66ba97
• File name:  posta certificata.eml.js

.JS FILE EXTRACTED FROM ZIP ARCHIVE (2 OF 2):

• SHA256 hash:  af351a4986ad67452073f1a621cab3f8c9e330f191965147b68bda07cb206d4d
• File name:  daticert.certificata.xml.js

EXECUTABLE DOWNLOADED BY .JS FILE (ZEUS PANDA BANKER):

• SHA256 hash:  220a2b2d7353a697496abcabf1b4c1990b8c9b7143e6dada17782ddd9ee2c232
• File name:  liber.exe

 

Click here to return to the main page.