2017-01-09 - ZEUS PANDA BANKER INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-01-09-Zeus-Panda-Banker-infection-traffic.pcap.zip   138.4 kB (138,390 bytes)

• 2017-01-09-Zeus-Panda-Banker-infection-traffic.pcap   (163,756 bytes)

• 2017-01-09-Zeus-Panda-Banker-email-and-malware.zip   440.1 kB (440,080 bytes)

• 2017-01-09-DHL-malspam-1337-UTC.eml   (196,707 bytes)
• CVS Commercial form 20170109.cvs.exe   (240,170 bytes)
• CVS Commercial form 20170109.zip   (144,449 bytes)

 

THE EMAIL

Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

• Received from:  public-gprs394884.centertel[.]pl (37.47.173[.]197)
• Date/Time:  2017-01-09 13:37 UTC
• Subject:  Dhl Commercial Invoices 9438768520 316232998309
• From:  <BGYHUBIMPORT@DHL[.]COM>
• Attachment name:  CVS Commercial form 20170109.zip

 

MESSAGE TEXT:

Attached notice amount customs charges

Dear Customer,
Attached your invoice in PDF format, dated 01/09/2017 and csv files for shipments and services provided by DHL Express.

You can also display the details of his account and the historical invoices online.

In case of substantial problems in the Annex, contact support at: support@dhl.com

We expect to receive payment within the prescribed period, as indicated on the invoice.

We send our thanks for having taken advantage of DHL Express services.


Best regards,

DHL Express

 

TRAFFIC

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• google[.]com - GET /   check for connectivity (or possibly location)
• 104.27.177[.]160 port 443 - fastsearch[.]club - HTTPS/SSL/TLS Zeus Panda Banker C2 traffic

 

FILE HASHES

ATTACHED ZIP ARCHIVE:

• SHA256 hash:  63ecfe3dd8bf5040b1a8bd034d5e4ec861ba8870e98c3aa3de2057d8d21ba440   (144,449 bytes)
  File name:  CVS Commercial form 20170109.zip

EXTRACTED MALWARE:

• SHA256 hash:  ef6c9eb9475c3e392db7fe9872d6ab2d5d8642d5764ce2b3360e609ede8e9459   (240,170 bytes)
  File name:  CVS Commercial form 20170109.cvs[.]exe

 

IMAGES

Shown above:  Artifacts and registry update for this malware infection on a physical host.

 

FINAL NOTES

Click here to return to the main page.