2017-11-21 - ZEUS PANDA BANKER INFECTION FROM ITALIAN MALSPAM
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-11-21-Zeus-Panda-Banker-infection-traffic.saz.zip 938.5 kB (938,453 bytes)
- 2017-11-21-Zeus-Panda-Banker-infection-traffic.saz (941,668 bytes)
- 2017-11-21-Zeus-Panda-Banker-infection-traffic.pcap.zip 1.2 MB (1,173,366 bytes)
- 2017-11-21-Zeus-Panda-Banker-infection-traffic.pcap (1,257,005 bytes)
- 2017-11-21-Zeus-Panda-Banker-email-and-malware-examples.zip 445.6 kB (445,582 bytes)
- 2017-11-21-Zeus-Panda-Banker-malspam-0900-UTC.eml (95,849 bytes)
- 2017-11-21-Zeus-Panda-Banker-malspam-0902-UTC.eml (94,621 bytes)
- 2017-11-21-Zeus-Panda-Banker-malspam-0927-UTC.eml (95,940 bytes)
- 2017-11-21-Zeus-Panda-Banker-malspam-1229-UTC.eml (100,150 bytes)
- 65829_[removed].xls (68,608 bytes)
- SecurityPreloadState.exe (333,312 bytes)
- [removed]-3499.xls (72,192 bytes)
NOTES:
- This is mostly HTTPS traffic, so I've included a Fiddler capture (.saz file) for the HTTPS URLs.
- Email --> attached Excel spreadsheet --> enable macros --> downloads Zeus Panda Banker
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains:
- scaricapag[.]win
- 89D9B687AC98[.]site
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Tuesday 2017-11-21 as early as 09:00 UTC through at least 12:29 UTC
- Subject: avviso di pagamento
- Subject: avviso di pagamento 21/11/2017
- Subject: pagamento 21.11.2017
- From: [various email addresses, all probably spoofed, all ending with TLD .it]
Shown above: Malicious Excel spreadsheet attachment from the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: Traffic from the infection as recorded in Fiddler.
NETWORK TRAFFIC FROM MY INFECTED LAB HOST:
- 202.239.38[.]163 port 443 (HTTPS) - scaricapag[.]win - GET /eco [returned Zeus Panda Banker binary]
- 92.53.78[.]210 port 443 (HTTPS) - 89D9B687AC98[.]site - POST /EC/5/PeA/xA9SDv/L6UnJrI/6WYjg/
- 92.53.78[.]210 port 443 (HTTPS) - 89D9B687AC98[.]site - POST /vO/1/_u/zyDxePf7JX/kFnEKmr/gg
- port 80 - google[.]com - GET /
- port 80 - www.google[.]com - GET /
- port 443 (HTTPS) - www.google[.]com - GET /?gws_rd=ssl
- 92.53.78[.]210 port 443 (HTTPS) - 89D9B687AC98[.]site - POST /5P/lO/Tw139B/fuGKQ/QJ4/U7bonQ
- 92.53.78[.]210 port 443 (HTTPS) - 89D9B687AC98[.]site - POST /RD/8_C/XwxhVGfXtVWVs/NKKPiQ/
- 92.53.78[.]210 port 443 (HTTPS) - 89D9B687AC98[.]site - POST /q2h7u/0IatsD9g/edmIZEYa/D/tGovA
- 92.53.78[.]210 port 443 (HTTPS) - 89D9B687AC98[.]site - POST /dV5MneyeX/xeLwyiR/0/MtT/ndWEdK4i4tA
- 92.53.78[.]210 port 443 (HTTPS) - 89D9B687AC98[.]site - POST /z3VUVwuHg/24eT/0hxmPv/nY/a/wR-M7C/quA
- 92.53.78[.]210 port 443 (HTTPS) - 89D9B687AC98[.]site - POST /Iv54/6MLw/swNnfoX2ZwIc/L5Do-/Q/
- 92.53.78[.]210 port 443 (HTTPS) - 89D9B687AC98[.]site - POST /mYLnz/zO2J6TB8Ev3R/a1pxKoi/no/A
- 92.53.78[.]210 port 443 (HTTPS) - 89D9B687AC98[.]site - POST /CW/4/uOG0A/l/GCOb8Rn/R_JbG/emg/
- 92.53.78[.]210 port 443 (HTTPS) - 89D9B687AC98[.]site - POST /HXYVtUi/6eyc0T5/EIv/nnSGFc/M4-Vl/Q
FILE HASHES
MALICIOUS EXCEL SPREADSHEETS:
- SHA256 hash: 7d63ce01c5c13977f80fff363b65f43c98392057940d499ca3d912bc29e75789
File size: 68,608 bytes
File name: [random digits]_[name from recipient's email address].xls
- SHA256 hash: 6f03603b7718410b32b09eb40c38ea6b063b6385abc78fbb4a077b1328277b88
File size: 72,192 bytes
File name: [name from recipient's email address]_[random digits].xls
ZEUS PANDA BANKER RETREIVED FROM THE INFECTED HOST:
- SHA256 hash: ce956a5a6ebf5b8242493a8512f8155a29379a7a2a046755beac4fc7a4ded41e
File size: 333,312 bytes
File location: C:\Users\[username]\AppData\Roaming\[existing directory path]\[random file name].exe
IMAGES
Shown above: Zeus Panda Banker persistent on the infected Windows host.
Click here to return to the main page.