Analysis
-
max time kernel
299s -
max time network
267s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
30-04-2023 08:24
General
-
Target
REPORTE DE PAGO-1.exe
-
Size
2.6MB
-
MD5
ef51568300ae7e7c78e27e5503a4f955
-
SHA1
c54415dadc7fa711122d92963d9d3823637b2b99
-
SHA256
34bc03f62cce398c53c910f9c2c3aae2d081417a82f744c09426ff29525eda82
-
SHA512
f18c10e979d7a962cd38dd399bed1258b429adc92ca19c38788691a8f851efbfebdcadd7c600b64573b34b7e12c67140862d91304251fc0e9b1a25106cafec88
-
SSDEEP
49152:RfEMHawa0Tns5D2b0+XFUlJ1qVNVWDawSmpwjw2e:Rq
Score
10/10
Malware Config
Extracted
Family
bandook
C2
deapproved.ru
Signatures
-
Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
-
Bandook payload 8 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\REPORTE DE PAGO-1.exe"C:\Users\Admin\AppData\Local\Temp\REPORTE DE PAGO-1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\REPORTE DE PAGO-1.exe"C:\Users\Admin\AppData\Local\Temp\REPORTE DE PAGO-1.exe" ooooooooooooooo2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/860-152-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB
-
memory/860-171-0x0000000000400000-0x00000000006AB000-memory.dmpFilesize
2.7MB
-
memory/860-169-0x0000000000400000-0x00000000006AB000-memory.dmpFilesize
2.7MB
-
memory/860-167-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB
-
memory/860-165-0x0000000000400000-0x00000000006AB000-memory.dmpFilesize
2.7MB
-
memory/4372-156-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/4372-160-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/4372-168-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/4372-153-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/4372-154-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/4372-164-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/4372-157-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/4372-162-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/4372-158-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/4372-159-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/4416-155-0x0000000000400000-0x00000000006AB000-memory.dmpFilesize
2.7MB
-
memory/4416-133-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/4416-151-0x0000000000400000-0x00000000006AB000-memory.dmpFilesize
2.7MB
-
memory/4416-149-0x0000000000400000-0x00000000006AB000-memory.dmpFilesize
2.7MB
-
memory/4416-136-0x0000000000400000-0x00000000006AB000-memory.dmpFilesize
2.7MB
-
memory/4416-150-0x0000000000400000-0x00000000006AB000-memory.dmpFilesize
2.7MB
-
memory/4416-135-0x0000000000400000-0x00000000006AB000-memory.dmpFilesize
2.7MB
-
memory/4416-134-0x0000000000400000-0x00000000006AB000-memory.dmpFilesize
2.7MB
-
memory/4416-180-0x0000000000400000-0x00000000006AB000-memory.dmpFilesize
2.7MB