API tools faq
paste
Bank_Security

Panda Banker Trojan Targets the US, Canada and Japan

Bank_Security
Oct 10th, 2018
6,560
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.09 KB | None | 0 0
raw download clone embed print report
  1. Panda Banker Trojan Targets the US, Canada and Japan
  2.  
  3. IoCs
  4. SHA256 values (Panda Banker payloads)
  5. 088E2DE6E3CF283F6B7CB518655ADB32F1DE8A0D14EFF9E8A10AA16D1420CC4B
  6. 0DD11E77562E51DE1C12C1D7EDF9C34C115F79F13CDC8D2A4743F41515D069F1
  7. 111B67B802426C2E94E933761CBB6168A6730C99849244E518D11E1474218088
  8. 200DD176ECCFE11A3456193BF1FE7D46D23408834E172991B883D59AA59CE259
  9. 20F4445B40DC0CD1830DEE6031A7342284E51DC4C399D331507B28F74BA0727B
  10. 2527C9EB597BD85C4CA2E7A6550CC7480DBB3129DD3D6033E66E82B0988EE061
  11. 333AFF311B07C5CBEDFB618FF902B0DD663C0BA50B2DC8A2A590E9409CB9BC3C
  12. 3DD50E3C6F108C9E7289E797127527B7E5321F360893FC1FCC41B19B06DD65BF
  13. 45C7C91EBB315A77DD28E0092913184CB6A4A8D0387D29384B273EBF9BCE9A74
  14. 57CFD2DA86195B4D5636579ABA6C61FA7FC9D0646EA6FE7CB4752DDBC789428A
  15. 5B7F1708092A1FECF4AD1DC22CCCCA62C1648361F805762C465F12B9501E485C
  16. 5CDE033FD3D5E1F4750034E262F7E913A26231DCD2D658581557387C1FA7306B
  17. 6030CE3ACF4DD0729B30795B23A4DC9983A9363E5BF6B1E7DC82EF4CCAEF7754
  18. 8327163CF9C9DC8C4680AD6ADCCF10AAF4458F75C4DB045E7E3608081CE6FAE1
  19. 85D8829D7795AF046E238D9981592F96AD49DCB2CCB9E5C6BB938BC04B1E8552
  20. 8A26412234EC7CB43B07BAE7E9910EB0F7EB807CF8581ABED56AAFAF514AC4A2
  21. 997A9A38AAE2BE74659296DF901AED09EF5ADB671EE682605DD999243F9E9983
  22. AD7B21F9C14C49EA28F7E98A8E3B44973446342537D9817EC91C13681BAE0023
  23. B1EBF3D44D496EE574831266474B10B55C06E30AEA56D41AC8830BA2B28F7A0F
  24. B6708BB21911FE143FDC33A57993DB91BE7F90EBACC0EAC302019B2D12A763E3
  25. BC394CA7B7DB058DAB18AD8F612FE99C734006F034945B1336682E4728A4E932
  26. C83D21DDCC75D410A3F40B9C869E7C75861240077BE7A174F6D2B574BF6BC2C0
  27. C93F049BFD7E1E5B9FAFB04100CACC156FE76D69D4CC0A1DF27D29B057371E05
  28. CB050E95CE7CD9CDD444741C8BF80E913297565EEBB7B8CB64B4F69407017944
  29. CEB3CC460681D1274113D2A983B143049C139261D03552356C0F95F8C140B669
  30. DD4FF33E8853E34480E820A3D2D11E6FC87BC75EFBEEBFE324664D4013DEE0B0
  31. E187DF28541A1296D10A6AC2FF7ED5A52CE7577FCC8BC3811AF3238AF0E5E991
  32. F87439636B309409B96B336099D84FFF56773391CFA52FAF069C3B7B517BA154
  33. FACD400EB4530F6C0357C1115C3275E7FEEFDB982DF96F13FFEC62F56B95CCB2
  34. FBC8126A3BC0746E57DBD4AE29C64006B79825243E47659E0FF57B5B27641123
  35.  
  36. Persistency
  37. o Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  38. o Name: An executable file name Panda Banker created (e.g., blocklist.exe)
  39. o Data: path to : An executable file Panda Banker created (e.g., path to blocklist.exe)
  40.  
  41. C2 domain names
  42. o RXDirectories[.]top
  43. o adshiepkhach[.]top
  44. o akihabrajdu[.]xyz
  45. o antrefurniture[.]top
  46. o bloodskin[.]website
  47. o canariasmotor[.]top
  48. o cebabsebi[.]com
  49. o coloredcredit[.]pw
  50. o connectionjump[.]top
  51. o dintlasirob[.]com
  52. o downloadmasala[.]website
  53. o encitimefoan[.]ru
  54. o fullspectrumavs[.]top
  55. o gmokkasd[.]website
  56. o haketsitet[.]com
  57. o hogamotin[.]com
  58. o humoronoff[.]top
  59. o indolentgames[.]top
  60. o inghapwilhe[.]ru
  61. o jecrusandsi[.]com
  62. o joltter[.]top
  63. o legaleeny[.]pw
  64. o letretuthes[.]com
  65. o luxurygoosedown[.]top
  66. o lyletening[.]ru
  67. o majorhunt[.]top
  68. o mihecksandca[.]ru
  69. o miliocife[.]aktyubinsk[.]su
  70. o myaningmuchme[.]ru
  71. o myhubcloud[.]website
  72. o mykeeptake[.]xyz
  73. o mystratusstore[.]xyz
  74. o nauseorofte[.]ru
  75. o nybaseballfans[.]website
  76. o picosloop[.]top
  77. o rebretaci[.]com
  78. o rombutcading[.]ru
  79. o smartnutriment[.]top
  80. o speakeasyclan[.]top
  81. o tailbackuisback[.]xyz
  82. o theeunload[.]website
  83. o thevisitorsfilm[.]top
  84. o uiaoduiiej[.]chimkent[.]su
  85. o umirushieteg[.]website
  86. o vethatnetont[.]com
  87. o vudoshakar123123[.]website
  88. o watercraftuavs[.]top
  89. o wegmanss[.]pw
  90. o zanhimnohedt[.]com
  91.  
  92. URLs in configuration from C2 server
  93. o hXXps://vudoshakar123123[.]website/1rifoluwaqyseawawuvza[.]dat
  94. o hXXps://vudoshakar123123[.]website/webinjects_new3[.]dat
  95. o hXXps://vudoshakar123123[.]website/1rifoluwaqyseawawuvza[.]exe
  96. o hXXps://vudoshakar123123[.]website/webinject32_new3[.]bin
  97. o hXXps://vudoshakar123123[.]website/webinject64_new3[.]bin
  98. o hXXps://vudoshakar123123[.]website/vnc32_new3[.]bin
  99. o hXXps://vudoshakar123123[.]website/vnc64_new3[.]bin
  100. o hXXps://vudoshakar123123[.]website/backsocks_new3[.]bin
  101. o hXXps://vudoshakar123123[.]website/grabber_new3[.]bin
  102. o hXXps://vudoshakar123123[.]website/keylogger_new3[.]bin
  103. o hXXps://mystratusstore[.]xyz/2itopfetoebenfeakoqas[.]dat
  104. o hXXps://mystratusstore[.]xyz/webinjects_new3[.]dat
  105. o hXXps://mystratusstore[.]xyz/2itopfetoebenfeakoqas[.]exe
  106. o hXXps://mystratusstore[.]xyz/webinject32_new3[.]bin
  107. o hXXps://mystratusstore[.]xyz/webinject64_new3[.]bin
  108. o hXXps://mystratusstore[.]xyz/vnc32_new3[.]bin
  109. o hXXps://mystratusstore[.]xyz/vnc64_new3[.]bin
  110. o hXXps://mystratusstore[.]xyz/backsocks_new3[.]bin
  111. o hXXps://mystratusstore[.]xyz/grabber_new3[.]bin
  112. o hXXps://mystratusstore[.]xyz/keylogger_new3[.]bin
  113. o hXXps://mihecksandca[.]ru/1ixcyidwexoumibewibbi[.]dat
  114. o hXXps://mihecksandca[.]ru/610webinjects[.]dat
  115. o hXXps://mihecksandca[.]ru/1ixcyidwexoumibewibbi[.]exe
  116. o hXXps://mihecksandca[.]ru/610webinject32[.]bin
  117. o hXXps://mihecksandca[.]ru/610webinject64[.]bin
  118. o hXXps://mihecksandca[.]ru/610vnc32[.]bin
  119. o hXXps://mihecksandca[.]ru/610vnc64[.]bin
  120. o hXXps://mihecksandca[.]ru/610backsocks[.]bin
  121. o hXXps://mihecksandca[.]ru/610grabber[.]bin
  122. o hXXps://mihecksandca[.]ru/610keylogger[.]bin
  123. o hXXps://rombutcading[.]ru/1toziimufuzutotsaguel[.]dat
  124. o hXXps://rombutcading[.]ru/610webinjects[.]dat
  125. o hXXps://rombutcading[.]ru/1toziimufuzutotsaguel[.]exe
  126. o hXXps://rombutcading[.]ru/610webinject32[.]bin
  127. o hXXps://rombutcading[.]ru/610webinject64[.]bin
  128. o hXXps://rombutcading[.]ru/610vnc32[.]bin
  129. o hXXps://rombutcading[.]ru/610vnc64[.]bin
  130. o hXXps://rombutcading[.]ru/610backsocks[.]bin
  131. o hXXps://rombutcading[.]ru/610grabber[.]bin
  132. o hXXps://rombutcading[.]ru/610keylogger[.]bin
  133. o hXXps://betrephengu[.]ru/1haetibatiqinoktaitov[.]dat
  134. o hXXps://betrephengu[.]ru/69webinjects[.]dat
  135. o hXXps://betrephengu[.]ru/1haetibatiqinoktaitov[.]exe
  136. o hXXps://betrephengu[.]ru/69webinject32[.]bin
  137. o hXXps://betrephengu[.]ru/69webinject64[.]bin
  138. o hXXps://betrephengu[.]ru/69vnc32[.]bin
  139. o hXXps://betrephengu[.]ru/69vnc64[.]bin
  140. o hXXps://betrephengu[.]ru/69backsocks[.]bin
  141. o hXXps://betrephengu[.]ru/69grabber[.]bin
  142. o hXXps://betrephengu[.]ru/69keylogger[.]bin
  143. o hXXps://betrephengu[.]ru/1haetibatiqinoktaitov[.]dat
  144. o hXXps://betrephengu[.]ru/69webinjects[.]dat
  145. o hXXps://betrephengu[.]ru/1haetibatiqinoktaitov[.]exe
  146. o hXXps://betrephengu[.]ru/69webinject32[.]bin
  147. o hXXps://betrephengu[.]ru/69webinject64[.]bin
  148. o hXXps://betrephengu[.]ru/69vnc32[.]bin
  149. o hXXps://betrephengu[.]ru/69vnc64[.]bin
  150. o hXXps://betrephengu[.]ru/69backsocks[.]bin
  151. o hXXps://betrephengu[.]ru/69grabber[.]bin
  152. o hXXps://betrephengu[.]ru/69keylogger[.]bin
  153. o hXXps://humoronoff[.]top/1uqboygheizxeraneorlo[.]dat
  154. o hXXps://humoronoff[.]top/webinjects_new3[.]dat
  155. o hXXps://humoronoff[.]top/1uqboygheizxeraneorlo[.]exe
  156. o hXXps://humoronoff[.]top/webinject32_new3[.]bin
  157. o hXXps://humoronoff[.]top/webinject64_new3[.]bin
  158. o hXXps://humoronoff[.]top/vnc32_new3[.]bin
  159. o hXXps://humoronoff[.]top/vnc64_new3[.]bin
  160. o hXXps://humoronoff[.]top/backsocks_new3[.]bin
  161. o hXXps://humoronoff[.]top/grabber_new3[.]bin
  162. o hXXps://humoronoff[.]top/keylogger_new3[.]bin
  163. o hXXps://nauseorofte[.]ru/1ifmuybbolakuotegepma[.]dat
  164. o hXXps://nauseorofte[.]ru/610webinjects[.]dat
  165. o hXXps://nauseorofte[.]ru/1ifmuybbolakuotegepma[.]exe
  166. o hXXps://nauseorofte[.]ru/610webinject32[.]bin
  167. o hXXps://nauseorofte[.]ru/610webinject64[.]bin
  168. o hXXps://nauseorofte[.]ru/610vnc32[.]bin
  169. o hXXps://nauseorofte[.]ru/610vnc64[.]bin
  170. o hXXps://nauseorofte[.]ru/610backsocks[.]bin
  171. o hXXps://nauseorofte[.]ru/610grabber[.]bin
  172. o hXXps://nauseorofte[.]ru/610keylogger[.]bin
  173. o hXXps://myaningmuchme[.]ru/1waemgadyezabawhakavi[.]dat
  174. o hXXps://myaningmuchme[.]ru/610webinjects[.]dat
  175. o hXXps://myaningmuchme[.]ru/1waemgadyezabawhakavi[.]exe
  176. o hXXps://myaningmuchme[.]ru/610webinject32[.]bin
  177. o hXXps://myaningmuchme[.]ru/610webinject64[.]bin
  178. o hXXps://myaningmuchme[.]ru/610vnc32[.]bin
  179. o hXXps://myaningmuchme[.]ru/610vnc64[.]bin
  180. o hXXps://myaningmuchme[.]ru/610backsocks[.]bin
  181. o hXXps://myaningmuchme[.]ru/610grabber[.]bin
  182. o hXXps://myaningmuchme[.]ru/610keylogger[.]bin
  183. o hXXps://uiaoduiiej[.]chimkent[.]su/5fewucaopezanxenuzebu[.]dat
  184. o hXXps://uiaoduiiej[.]chimkent[.]su/webinjects[.]dat
  185. o hXXps://uiaoduiiej[.]chimkent[.]su/5fewucaopezanxenuzebu[.]exe
  186. o hXXps://uiaoduiiej[.]chimkent[.]su/webinject32[.]bin
  187. o hXXps://uiaoduiiej[.]chimkent[.]su/webinject64[.]bin
  188. o hXXps://uiaoduiiej[.]chimkent[.]su/vnc32[.]bin
  189. o hXXps://uiaoduiiej[.]chimkent[.]su/vnc64[.]bin
  190. o hXXps://uiaoduiiej[.]chimkent[.]su/backsocks[.]bin
  191. o hXXps://uiaoduiiej[.]chimkent[.]su/grabber[.]bin
  192. o hXXps://uiaoduiiej[.]chimkent[.]su/keylogger[.]bin
  193. o hXXps://rombutcading[.]ru/1toziimufuzutotsaguel[.]dat
  194. o hXXps://rombutcading[.]ru/610webinjects[.]dat
  195. o hXXps://rombutcading[.]ru/1toziimufuzutotsaguel[.]exe
  196. o hXXps://rombutcading[.]ru/610webinject32[.]bin
  197. o hXXps://rombutcading[.]ru/610webinject64[.]bin
  198. o hXXps://rombutcading[.]ru/610vnc32[.]bin
  199. o hXXps://rombutcading[.]ru/610vnc64[.]bin
  200. o hXXps://rombutcading[.]ru/610backsocks[.]bin
  201. o hXXps://rombutcading[.]ru/610grabber[.]bin
  202. o hXXps://rombutcading[.]ru/610keylogger[.]bin
  203. o hXXps://adshiepkhach[.]top/1boehzyyspokusiakziof[.]dat
  204. o hXXps://adshiepkhach[.]top/webinjects_new2[.]dat
  205. o hXXps://adshiepkhach[.]top/1boehzyyspokusiakziof[.]exe
  206. o hXXps://adshiepkhach[.]top/webinject32_new2[.]bin
  207. o hXXps://adshiepkhach[.]top/webinject64_new2[.]bin
  208. o hXXps://adshiepkhach[.]top/vnc32_new2[.]bin
  209. o hXXps://adshiepkhach[.]top/vnc64_new2[.]bin
  210. o hXXps://adshiepkhach[.]top/backsocks_new2[.]bin
  211. o hXXps://adshiepkhach[.]top/grabber_new2[.]bin
  212. o hXXps://adshiepkhach[.]top/keylogger_new2[.]bin
  213. o hXXps://adshiepkhach[.]top/1boehzyyspokusiakziof[.]dat
  214. o hXXps://adshiepkhach[.]top/webinjects_new2[.]dat
  215. o hXXps://adshiepkhach[.]top/1boehzyyspokusiakziof[.]exe
  216. o hXXps://adshiepkhach[.]top/webinject32_new2[.]bin
  217. o hXXps://adshiepkhach[.]top/webinject64_new2[.]bin
  218. o hXXps://adshiepkhach[.]top/vnc32_new2[.]bin
  219. o hXXps://adshiepkhach[.]top/vnc64_new2[.]bin
  220. o hXXps://adshiepkhach[.]top/backsocks_new2[.]bin
  221. o hXXps://adshiepkhach[.]top/grabber_new2[.]bin
  222. o hXXps://adshiepkhach[.]top/keylogger_new2[.]bin
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!