Overview

overview

10

Static

static

Cancelar Factura.exe

windows7-x64

10

Cancelar Factura.exe

windows10-2004-x64

10

Resubmissions

24-01-2023 19:33

230124-x9v3csdd45 10

24-01-2023 19:30

230124-x7w7msfa3x 1

Analysis

  • max time kernel
    429s
  • max time network
    581s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-01-2023 19:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cancelar Factura.exe

  • Size

    2.9MB

  • MD5

    5c3cb19563848d0bee7238a6bf55abc9

  • SHA1

    766737ca6149bcd018ef7cfce49b3b90fe0325d9

  • SHA256

    c1c7a5fe3203fe7ecd6b4581a12f85803174d5e2b8df2e98cccb8a5d740b1d36

  • SHA512

    bbf31136b59edfc1c630a96e348a20d7f494e999534e19aea565ca9c2f074f27be8bac27ccf07165c5f025daa955741a131424250a543d83e6e46fed2af44341

  • SSDEEP

    49152:Ofc6jhQyaOKBcZt7MUt0dfwwWC1R9Jbl8/u5K:O062yaOt

Score
10/10
bandookpersistencerattrojanupx

Malware Config

Signatures

  • Bandook RAT

    Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.

    rattrojanbandook
  • Bandook payload 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cancelar Factura.exe
    "C:\Users\Admin\AppData\Local\Temp\Cancelar Factura.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\windows\syswow64\msinfo32.exe
      C:\windows\syswow64\msinfo32.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:748
    • C:\Users\Admin\AppData\Local\Temp\Cancelar Factura.exe
      "C:\Users\Admin\AppData\Local\Temp\Cancelar Factura.exe" ooooooooooooooo
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\windows\syswow64\msinfo32.exe
        C:\windows\syswow64\msinfo32.exe
        3⤵
        • Adds Run key to start application
        PID:2008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/748-57-0x0000000013140000-0x0000000014009000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/748-60-0x0000000013140000-0x0000000014009000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/748-62-0x0000000013140000-0x0000000014009000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/748-63-0x0000000013140000-0x0000000014009000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/748-64-0x0000000013140000-0x0000000014009000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/792-54-0x00000000763D1000-0x00000000763D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2008-72-0x0000000013140000-0x0000000014009000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2008-73-0x0000000013140000-0x0000000014009000-memory.dmp

    Filesize

    14.8MB

    Download