Analysis
-
max time kernel
302s -
max time network
295s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
30-04-2023 08:19
General
-
Target
COMUNICADO VLN0000785623.exe
-
Size
3.0MB
-
MD5
b138dcc6464dde265d945d48cdb91c03
-
SHA1
97127548381b5d53ef4adc9a79b47738f9f0e240
-
SHA256
ffc28b05a322c5214cf30408f07bd29aba88930d1225a75626bbd08dc2b6e883
-
SHA512
0b16c4e66114ab32710ebfab16845508455c914a97fb3b064f7b556deddc289fe9e959bbf98c76fb5c44905d586bae5454f41f9099cab723d58f036b92dd6960
-
SSDEEP
24576:6h/AD1U14A8jpwmlYbPN5UGhsqp9EuNQ2YDcJm22C/0fqUb+Vhn7dv+6SSoec/SD:6JaBAeVgm5x2PAehtqSVyX4r2ecXY
Score
10/10
Malware Config
Extracted
Family
bandook
C2
deapproved.ru
Signatures
-
Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
-
Bandook payload 7 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\COMUNICADO VLN0000785623.exe"C:\Users\Admin\AppData\Local\Temp\COMUNICADO VLN0000785623.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\syswow64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\COMUNICADO VLN0000785623.exe"C:\Users\Admin\AppData\Local\Temp\COMUNICADO VLN0000785623.exe" dkddkdkkdkdd ddd2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/552-74-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/552-89-0x0000000000400000-0x000000000070A000-memory.dmpFilesize
3.0MB
-
memory/552-87-0x0000000000400000-0x000000000070A000-memory.dmpFilesize
3.0MB
-
memory/552-84-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/552-82-0x0000000000400000-0x000000000070A000-memory.dmpFilesize
3.0MB
-
memory/1232-71-0x0000000000400000-0x000000000070A000-memory.dmpFilesize
3.0MB
-
memory/1232-81-0x0000000000400000-0x000000000070A000-memory.dmpFilesize
3.0MB
-
memory/1232-72-0x0000000000400000-0x000000000070A000-memory.dmpFilesize
3.0MB
-
memory/1232-73-0x0000000000400000-0x000000000070A000-memory.dmpFilesize
3.0MB
-
memory/1232-59-0x0000000000400000-0x000000000070A000-memory.dmpFilesize
3.0MB
-
memory/1232-103-0x0000000000400000-0x000000000070A000-memory.dmpFilesize
3.0MB
-
memory/1232-54-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1232-55-0x0000000000400000-0x000000000070A000-memory.dmpFilesize
3.0MB
-
memory/1232-56-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1232-57-0x0000000000400000-0x000000000070A000-memory.dmpFilesize
3.0MB
-
memory/1232-58-0x0000000000400000-0x000000000070A000-memory.dmpFilesize
3.0MB
-
memory/1532-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1532-80-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1532-79-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1532-78-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1532-77-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1532-92-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1532-93-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1532-95-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1532-96-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1532-99-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1532-75-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB