ZeuS Panda Banker Trojan (suchka.exe) – Remove It Completely

ZeuS Panda Banker Trojan (suchka.exe) – Remove It Completely

This article has been created to help you detect and remove ZeuS Panda Banker Trojan (suchka.exe) from your computer completely and protect yourself in the future as well.

A new version of the ZeuS Trojan has reappeared, called Panda Banker. The malware uses Zeus Trojan’s, malicious modules in order to monitor the computers infected by it and steal financial and personal banking information. The malware’s primary goal is to remain unnoticed on your computer while at the same time logs keystrokes and takes screenshots from the computer. Keep reading this article to learn how to detect and remove this banking Trojan completely from your personal computer.

Threat Summary

NameZeus Panda Banker
TypeBanking Trojan
Short DescriptionAims to steal financial information from the computers infected by it. Pre-configured to detect and obtain important credentials and passwords if a financial information is detected.
SymptomsThe virus aims to remain undetected for as long as possible with malicious processes pretending to be legitimate Windows processes.
Distribution MethodSpam Emails of Word documents with malicious macros embedded.
Detection Tool See If Your System Has Been Affected by Zeus Panda Banker


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Zeus Panda Banker.

How Does ZeuS Panda Banker Infect?

The primary infection method by which the ZeuS malware is spread is via malicious e-mail spam, also known as malspam. Such campaigns aim for one thing only – to convince victims to open a malicious attachment or click on a malicious web link. The concrete sample of ZeuS Panda Banker detected by Malware-Traffic-Analysis has been reported to be spread via spam pretending the victim is receiving a parking fine. The spam message being spread is the following:

“The e-mail below is from an external source. Please do not open attachments or click links from an unknown or suspicious origin.
You received a parking fine!
26-818 – Parking of motor car or otherwise obstructing fire lanes shall be forbidden at all times
Required to appear in law court
Parking fine number information: TPD64735261
Check your parking ticket {Contains link to Google Docs where the malware is}
To pay your parking fine, download your ticket and choose one of 2 convenient ways:

1. Online
Pay online by Visa or Mastercard, $2 processing fee.

2. By phone (automated system)
Pay by Visa or Mastercard at (866)562-5972

Traffic Police.

The e-mail spam campaign is orchestrated via multiple different spam accounts, and the following fake e-mails were detected to be spreading the messages:

After the victims click on the URL of the e-mail, they are led to a web page which downloads the malicious file in a .zip archive. In the .ZIP file is a file which is named Traffic_Police_Department – Parking_Ticket_Information.doc:

The Microsoft Word file, when opened displays the following screen:

When the user clicks on the “Enable Content” button, the virus executes malicious macros that download the malicious executable of ZeuS Panda Trojan, located in:

→ %Temp%\suchka.exe

Once this malicious file is downloaded and then executed, it creates support modules and other executables, with random names. Some of the executables, connected to it are located in the %Temp% and %Roaming% directories.

ZeuS Panda Trojan – Activity Report

When a computer has already been infected by the ZeuS Panda Banker, it may immediately begin to connect to multiple third-party hosts to exchange information and support active connection while undetected. The domains associated with it are so far reported to be:


But this is not all, the virus also uses Google Docs domains to get malicious that have been uploaded there.

In addition to these connections, the ZeuS Panda Banker also may have the typical for ZeuS malicious modules. These modules are usually .dll files that are disguised as legitimate Windows processes. According to latest reports the files have embedded functions in them which perform various malicious activities when they infect your computer:

Malicious Functions on the ZeuS Trojan code:

GetModuleHandleA – modifies the code in the OS to inject obfuscated malicious code.
GetModuleFileName – rolls back the name of the support modules that are active as system processes.
OpenMutexA – for unique identification so that there is no second infection of ZeuS on an already infected computer.
GetUserNameA and GetAuditedPermissionsFromAclW – provide an easier way for hackers to manage many infections, by assigning the infected computer with it’s username in his command and control interface.
CreateServiceA and CreateProcessAsUserW – used to insert the malicious files of the virus as fake processes.
GetDesktopWindow and GetKeyboarState – believed to be used for screenshot capturing and logging your keystrokes.

How to Detect and Remove Zeus Panda Banker

There are no known symptoms of having ZeuS on your computer. However, you could check the Windows Task Manager for suspicious processes that are not run by System, discover their location and then erase them from your computer. You can do this by booting your computer into Safe Mode, as explained in the Manual instructions below.

However, if you believed that manual removal might be difficult and feel unsure that all of the related objects and connections established by ZeuS will be terminated, it is recommended to go with the automatic removal option below.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share