General

  • Target

    1.zip

  • Size

    5MB

  • Sample

    210716-bl5g78gves

  • MD5

    4067230cb4cbfe80659513b1c1c5458e

  • SHA1

    d18fdd1d9bb44bda044e1d399046a53d23d58853

  • SHA256

    f9d9d00a974b259b747217d021d95c7902c8a8807539db0bbf43939be972e281

  • SHA512

    0430cdc7acf26b6eafd78f23c0e6a0e3b6b161bd3cd61f45625dfd409b745043a80b5299f23b727159fd972e8ca7bcdcfd08b982ddf94a9504a5b7d4d330b7d2

Malware Config

Targets

    • Target

      037ff659cb188100251c228a1babe2cd3bc3aaa43e0039555e12c232a8b9f38f

    • Size

      1MB

    • MD5

      e0d2fac1d52fffd9b18fe93eb113d141

    • SHA1

      a90c769757b66b9c387ec4bc2d9be252b2f24d1a

    • SHA256

      037ff659cb188100251c228a1babe2cd3bc3aaa43e0039555e12c232a8b9f38f

    • SHA512

      0a435d80f67233e11bebce3d7c03f7ed9aacab354aa57e7d045052e7db6f3970edb017733961e84063a9f9081e9d246e5bf7b858ce3a53ab4a7066f8d572d6ba

    • Bandook Payload

    • Bandook RAT

      Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      2fc92db641004976273712cdacab3f1416b6f7fcb8a6019bbb6ca539e9effefc

    • Size

      1MB

    • MD5

      ce8805d7c52c37e37f1682dc19b50a8a

    • SHA1

      9413a9c879cb4a246a6126fc39cefbf95944cab5

    • SHA256

      2fc92db641004976273712cdacab3f1416b6f7fcb8a6019bbb6ca539e9effefc

    • SHA512

      432d8932ac4640c9d1de4bbe1345da8f972a90c147c5ea2e3710b0ef14ea6f36a9c0fc9175b843d202b7927a5b7d1002eb1873dec546f45b59782de203093266

    • Bandook Payload

    • Bandook RAT

      Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      58c6424d1d5365f3b596c311f77bf1635a84ecab176a829418ca2076974e91ed

    • Size

      1MB

    • MD5

      84bb509cbf65453942e7015d0aeb754b

    • SHA1

      52c64e3dee6b18f06af87d75fcea73e4c8a062d3

    • SHA256

      58c6424d1d5365f3b596c311f77bf1635a84ecab176a829418ca2076974e91ed

    • SHA512

      2cfbd18fdf132c53bbefd01fba064801a6531cd60b4e72d18ff6f937b7e459f8d97fcd9820ff194b64fa56730239a142b4d1356443f477a3418ed90b59aeb916

    • Bandook Payload

    • Bandook RAT

      Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      bc089259a1da012b1331933427fdf29e62e0c66cc4ca69c2319dd45f13a95c5d

    • Size

      1MB

    • MD5

      1f223fb3a22ffb73e9156427151e5b05

    • SHA1

      43a24433c4405101aecdbdf9e17fbafb8bb1b6f3

    • SHA256

      bc089259a1da012b1331933427fdf29e62e0c66cc4ca69c2319dd45f13a95c5d

    • SHA512

      e65e3f36311b3c00d418a9793bd5344052387301c7dbb3959311ca0a6daf7b5610980f0eb5800db49f1c190660dd6ddf3e6c1193e12e2b7d1b0c06e4dcf55c2d

    • Bandook Payload

    • Bandook RAT

      Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      d3e7b5be903eb9a596b9b2b78e5dd28390c6aadb8bdd4ea1ba3d896d99fa0057

    • Size

      1MB

    • MD5

      695ebe3e45a89552d7dabbc2b972ed66

    • SHA1

      89f1e932cc37e4515433696e3963bb3163cc4927

    • SHA256

      d3e7b5be903eb9a596b9b2b78e5dd28390c6aadb8bdd4ea1ba3d896d99fa0057

    • SHA512

      53a6770d75ac12bb248a2de6a13ee68ae8378da232b058efc1e04c8be4307a248c516111a65088d2d0ac39632ab223d949072f7fbaa71ad3155e6bd946e46593

    • Bandook Payload

    • Bandook RAT

      Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      e72ace3a76024645161ecb73c57083d38b85594df5117de94d782df9f48a10eb

    • Size

      1MB

    • MD5

      353f9db7df426b21b5af2b73d3421f1c

    • SHA1

      5662600362a996e38c630f3deceabd88c828e3cb

    • SHA256

      e72ace3a76024645161ecb73c57083d38b85594df5117de94d782df9f48a10eb

    • SHA512

      10cccccd181c0615d2344ee01bc45a46ab51a5672488ee90da81d4ae6f5513d9f4b459ad4ebc5b7cef9ea038d3a85a4f80dd6b4f104f34ce65109e0d5a81d6c3

    • Bandook Payload

    • Bandook RAT

      Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation