Analysis
-
max time kernel
301s -
max time network
302s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
30-04-2023 08:23
General
-
Target
Recibo de pago Banreserva.exe
-
Size
4.4MB
-
MD5
963dc44ec86b6f0e667716a4eafb63b1
-
SHA1
f487e173e2d8ef1c95d33fef82db94ddd2231e48
-
SHA256
14fe82910c2f207c0d0af16adb78beb03b871289d92bfeb52e7d4814b075e126
-
SHA512
6300c982b38242c3d591410672d6872b2e80d675acb421394b78b59f18e9e85c300e12e3bf7bddc82eb6aa86a5dd998064232c90c0c5d164a4c6055dab97cc2e
-
SSDEEP
49152:MxJPhRf0ewejGkahfiJWcSlAerZeWfEhiHECbFkt+aSj982TnUkcNVuV9zwu:MxTGeyk
Score
10/10
Malware Config
Extracted
Family
bandook
C2
bomes.ru
Signatures
-
Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
-
Bandook payload 7 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Recibo de pago Banreserva.exe"C:\Users\Admin\AppData\Local\Temp\Recibo de pago Banreserva.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Recibo de pago Banreserva.exe"C:\Users\Admin\AppData\Local\Temp\Recibo de pago Banreserva.exe" ooooooooooooooo2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3432-152-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/3432-137-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/3432-166-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/3432-136-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/3432-133-0x0000000002710000-0x0000000002711000-memory.dmpFilesize
4KB
-
memory/3432-138-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/3432-150-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/3432-154-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/3432-135-0x0000000002710000-0x0000000002711000-memory.dmpFilesize
4KB
-
memory/3432-134-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/3432-151-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/3432-180-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/4296-153-0x00000000024C0000-0x00000000024C1000-memory.dmpFilesize
4KB
-
memory/4296-173-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/4296-170-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/4296-167-0x00000000024C0000-0x00000000024C1000-memory.dmpFilesize
4KB
-
memory/4296-165-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/4300-156-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/4300-164-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/4300-162-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/4300-160-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/4300-159-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/4300-168-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/4300-158-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/4300-157-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/4300-155-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB