Analysis
-
max time kernel
293s -
max time network
262s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
30-04-2023 08:19
General
-
Target
Confirmar Transferencia lista.exe
-
Size
2.9MB
-
MD5
9d62eda2d552cb2f7e1564209de10310
-
SHA1
a0a5da7e38bf029ffa91b7b6f16f4da10f2763b0
-
SHA256
fa031dbd614e7231d329906a6aefdbeea4c6b2ceee847e909ff66126a370ceaa
-
SHA512
189b4905fb991ff3842c539d24617251799d736dde3df40fdd8653fb782736244ce202f760cf9e1c10496f31fda7f9aa20253d4c642a9f22bd27cebfeeb1cfba
-
SSDEEP
49152:vfc6jJzftLicMY1xMHeNBHFAJyye2IwF1q9emDAZ:v0617tLi
Score
10/10
Malware Config
Extracted
Family
bandook
C2
bomes.ru
Signatures
-
Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
-
Bandook payload 7 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Confirmar Transferencia lista.exe"C:\Users\Admin\AppData\Local\Temp\Confirmar Transferencia lista.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\syswow64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Confirmar Transferencia lista.exe"C:\Users\Admin\AppData\Local\Temp\Confirmar Transferencia lista.exe" ooooooooooooooo2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1112-75-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/1112-97-0x0000000000400000-0x00000000006EA000-memory.dmpFilesize
2.9MB
-
memory/1112-88-0x0000000000400000-0x00000000006EA000-memory.dmpFilesize
2.9MB
-
memory/1112-86-0x0000000000400000-0x00000000006EA000-memory.dmpFilesize
2.9MB
-
memory/1112-84-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/1112-83-0x0000000000400000-0x00000000006EA000-memory.dmpFilesize
2.9MB
-
memory/1612-72-0x0000000000400000-0x00000000006EA000-memory.dmpFilesize
2.9MB
-
memory/1612-71-0x0000000000400000-0x00000000006EA000-memory.dmpFilesize
2.9MB
-
memory/1612-54-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1612-104-0x0000000000400000-0x00000000006EA000-memory.dmpFilesize
2.9MB
-
memory/1612-55-0x0000000000400000-0x00000000006EA000-memory.dmpFilesize
2.9MB
-
memory/1612-56-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1612-73-0x0000000000400000-0x00000000006EA000-memory.dmpFilesize
2.9MB
-
memory/1612-57-0x0000000000400000-0x00000000006EA000-memory.dmpFilesize
2.9MB
-
memory/1612-59-0x0000000000400000-0x00000000006EA000-memory.dmpFilesize
2.9MB
-
memory/1612-82-0x0000000000400000-0x00000000006EA000-memory.dmpFilesize
2.9MB
-
memory/1676-79-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1676-81-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1676-80-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1676-78-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1676-89-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1676-90-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1676-91-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1676-94-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1676-96-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1676-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1676-76-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB