{
	"id": "0692cdf3-1348-42c3-ab98-7d5c72f04d26",
	"created_at": "2026-04-06T00:08:42.962753Z",
	"updated_at": "2026-04-10T13:11:19.060071Z",
	"deleted_at": null,
	"sha1_hash": "427a8bf180fdc552c23638d0d83463558c7b5b00",
	"title": "Panda Banker Analysis Part 1",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71509,
	"plain_text": "Panda Banker Analysis Part 1\r\nBy Crovax\r\nPublished: 2021-08-26 · Archived: 2026-04-05 17:47:33 UTC\r\nPanda banker is a banking trojan which shares some of its code base with an older malware variant called ‘Zeus.’\r\nIt’s known to inject code into the users web browser and attempt to steal banking/credit card credentials.\r\nPanda banker has a series of different anti-analysis and code obfuscation techniques to thwart any attempt in\r\nanalyzing it. Some of these techniques consist of checking for process monitoring tools and packet analysis tool.\r\nThe executable, once it has detected one of these tools, it will delete itself from the host system.\r\nGet Crovax’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nAfter execution Panda banker would spawn another binary in the AppData directory then execute it. Once\r\nrunning, the original process would then terminate and delete itself. After a while of running, it would spawn two\r\nadditional processes (svchost.exe) then terminate itself as well.\r\nPress enter or click to view image in full size\r\nBased off the initial analysis I conducted ,you can see an unknown process (pid 1960) spawning another process\r\nnamed ‘data_1.exe’ (pid 3816) then terminating itself. We can see this during the process tree listing in volatility\r\nbecause we don't have the matching parent process in the pslist output. I attached the graph output of the analysis I\r\nhttps://medium.com/@crovax/panda-banker-analysis-part-1-d08b3a855847\r\nPage 1 of 2\n\ndid (see below) to get a better visual representation of this activity. The rest of the memory analysis was focused\r\non the data_1.exe activity captured during the time of execution.\r\nTo note: During part 2 of this analysis, I’ll cover the behavioral and reverse engineering sections of Panda banker.\r\nThis is where we’ll discover additional functionalities not covered in this write up. :)\r\nLink to memory analysis:\r\nhttps://crovaxthecursed.github.io/malware%20analysis/Panda_Banker/\r\nSource: https://medium.com/@crovax/panda-banker-analysis-part-1-d08b3a855847\r\nhttps://medium.com/@crovax/panda-banker-analysis-part-1-d08b3a855847\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@crovax/panda-banker-analysis-part-1-d08b3a855847"
	],
	"report_names": [
		"panda-banker-analysis-part-1-d08b3a855847"
	],
	"threat_actors": [],
	"ts_created_at": 1775434122,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/427a8bf180fdc552c23638d0d83463558c7b5b00.pdf",
		"text": "https://archive.orkl.eu/427a8bf180fdc552c23638d0d83463558c7b5b00.txt",
		"img": "https://archive.orkl.eu/427a8bf180fdc552c23638d0d83463558c7b5b00.jpg"
	}
}