Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
14-07-2020 07:29
Static task
static1
Behavioral task
behavioral1
Sample
banbanban.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
banbanban.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
banbanban.exe
-
Size
261.7MB
-
MD5
99feba3a31e179dd70208186c8e7ef1e
-
SHA1
92edafe211d60ba771f1520890001a6da2709456
-
SHA256
4db84910fd2fb23d12a93f2171fc361049ec0d8e24074495def3d561396e6789
-
SHA512
3b42d1d882d153321c9f3b567043f9b1ce7272ffb55266c88c52d30b425f5401f0fe926c8725d1484126e7405ff651a6075920202b6f4863744b46b0d39fcb38
Score
7/10
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AZDCKDDHFDCAM.lnk banbanban.exe -
Enumerates connected drives 3 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe 2532 banbanban.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2532 banbanban.exe -
Loads dropped DLL 1 IoCs
pid Process 2532 banbanban.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ipinfo.io
Processes
Network
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53Requestipinfo.ioIN AResponseipinfo.ioIN A216.239.38.21ipinfo.ioIN A216.239.36.21ipinfo.ioIN A216.239.34.21ipinfo.ioIN A216.239.32.21
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AAAAResponse
-
Remote address:216.239.38.21:80RequestGET /json HTTP/1.1
Host: ipinfo.io
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 269
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Set-Cookie: flash=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT
X-Content-Type-Options: nosniff
Via: 1.1 google
Expires: Tue, 14 Jul 2020 07:30:44 GMT
Cache-Control: private
-
Remote address:216.239.38.21:80RequestGET /json HTTP/1.1
Host: ipinfo.io
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 269
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Set-Cookie: flash=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT
X-Content-Type-Options: nosniff
Via: 1.1 google
Expires: Tue, 14 Jul 2020 07:30:44 GMT
Cache-Control: private
-
Remote address:216.239.38.21:80RequestGET /json HTTP/1.1
Host: ipinfo.io
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 269
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Set-Cookie: flash=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT
X-Content-Type-Options: nosniff
Via: 1.1 google
Expires: Tue, 14 Jul 2020 07:30:44 GMT
Cache-Control: private
-
Remote address:8.8.8.8:53Requesteuropaeuamtqvmdcvmjayma.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AAAAResponse
-
Remote address:8.8.8.8:53Requesteuropaeuamtqvmdcvmjayma.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AAAAResponse
-
Remote address:8.8.8.8:53Requesteuropaeuamtqvmdcvmjayma.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AAAAResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AAAAResponse
-
Remote address:8.8.8.8:53Requesteuropaeuamtqvmdcvmjayma.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AAAAResponse
-
Remote address:8.8.8.8:53Requesteuropaeuamtqvmdcvmjayma.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AAAAResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AAAAResponse
-
Remote address:8.8.8.8:53Requesteuropaeuamtqvmdcvmjayma.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53Requesteuropaeuamtqvmdcvmjayma.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AAAAResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AAAAResponse
-
Remote address:8.8.8.8:53Requesteuropaeuamtqvmdcvmjayma.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AAAAResponse
-
Remote address:8.8.8.8:53Requesteuropaeuamtqvmdcvmjayma.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AAAAResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AAAAResponse
-
Remote address:8.8.8.8:53Requesteuropaeuamtqvmdcvmjayma.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AResponse
-
Remote address:8.8.8.8:53RequesteuropaeuaMTQvMDcvMjAyMA.ddnsking.comIN AAAAResponse
-
394 B 801 B 5 4
HTTP Request
GET http://ipinfo.io/jsonHTTP Response
200 -
394 B 801 B 5 4
HTTP Request
GET http://ipinfo.io/jsonHTTP Response
200 -
394 B 801 B 5 4
HTTP Request
GET http://ipinfo.io/jsonHTTP Response
200
-
330 B 2
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
55 B 119 B 1 1
DNS Request
ipinfo.io
DNS Response
216.239.38.21216.239.36.21216.239.34.21216.239.32.21
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuamtqvmdcvmjayma.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuamtqvmdcvmjayma.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuamtqvmdcvmjayma.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuamtqvmdcvmjayma.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuamtqvmdcvmjayma.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuamtqvmdcvmjayma.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuamtqvmdcvmjayma.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuamtqvmdcvmjayma.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuamtqvmdcvmjayma.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuamtqvmdcvmjayma.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com
-
82 B 139 B 1 1
DNS Request
europaeuaMTQvMDcvMjAyMA.ddnsking.com