8697aca759fabb9357f095c86db5336ee3ec9474fd9b18c1bd3b94bdc454f5a0

Resubmissions

07/06/2024, 17:30

240607-v26ssabe3s 7

Sharing

Copy URL Twitter E-mail

General

Target

Bandicam v4.5.6.1647 Portable by CheshireCat Ml_Rus - Copy.zip
Size

50.1MB
Sample

240607-v26ssabe3s
MD5

4dbfda909c3446b7a642e02f0848da24
SHA1

0a87828125b5f48da560d17bd97fe0bfea081dc9
SHA256

8697aca759fabb9357f095c86db5336ee3ec9474fd9b18c1bd3b94bdc454f5a0
SHA512

9eee4ca57cf2dc2b85270b377f7fdc1b37455f134fb5d875650a5b4bc28ce2c8dfa3a6b44cd7e2e29a157aeaa8e456512ceed4b7af4cfb8b87d376410f7eeb0e
SSDEEP

786432:A3AM08kJ2UksPXzSg6oJD+X6T+XjJvuFXEEltSok6uLRtGMcsXuz4OBoSjrgytQu:ArhBsP6oMljJmFj4oknfnWNg6Qr+ZT

Score

7^/10

Malware Config

Targets

- Target
  
  Bandicam v4.5.6.1647 Portable by CheshireCat Ml_Rus - Copy/Bandicam v4.5.6.1647 Portable by CheshireCat.exe
- Size
  
  13.8MB
- MD5
  
  8c9676a8595ea889d42e8997fb17a823
- SHA1
  
  d6085c261eb7bfa000de632c373c13be75d5f833
- SHA256
  
  76d83556fdaad6ffab579e3fa527c53bf6d964d216730cdc782e09344d9b73c8
- SHA512
  
  ffd01317799c89516e41e41d3f9c275ba5a61044b7ef17a136f65311825e7c962f3adc336b2db0d1cd6e2ee8401800681dc16f829cc4112562bf59347ab9e70a
- SSDEEP
  
  393216:uPAW+/8KI4SjJopmsfZBeOcNhgf4GPsc6YbV+S:BW+lpmW/eOFAGnbV+S
Score

1^/10
behavioral1 behavioral2
- Target
  
  Bandicam v4.5.6.1647 Portable by CheshireCat Ml_Rus - Copy/Bandicam v4.5.6.1647 Portable by CheshireCat/App/Bandicam/bdcam64.bin
- Size
  
  386KB
- MD5
  
  1ecb12a47d0d07bf3d6897aa4bc77777
- SHA1
  
  3adf0c7ecc3c7bc55dd2f858ca34aa8d83f0cd33
- SHA256
  
  ab15065da99d2868d800f7072fd4116c6a0342fd118640ec763f305fa4f226a6
- SHA512
  
  f4dbae80e3fbbb4f250fbd81163eaccbb4bcfe2a14043f54eee90dcc8bfa6e48304b2ac2a353e096d5612c3978453e45f0fa53b2a90f30e889d2cc2d785077c0
- SSDEEP
  
  12288:fLBVlkb31JSupCiH4sgTh9pGHNu4B2Unt:dVUCiH4HTMI4rt
Score

1^/10
behavioral3 behavioral4
- Target
  
  Bandicam v4.5.6.1647 Portable by CheshireCat Ml_Rus - Copy/Bandicam v4.5.6.1647 Portable by CheshireCat/App/Bandicam/bdcam64.dll
- Size
  
  380KB
- MD5
  
  ef8d899e2c3889532eeaa6a0c538ff7a
- SHA1
  
  98f29602e0f849e5226e128938d19ebf25761b1a
- SHA256
  
  22fbfbc26b1c9c51cbf4ae54ae95458ae20938d891ed80c34c8bd11c67e896d5
- SHA512
  
  fa688f6b255d9bf6677cb2254df31297a21d8f26f959137593543a2a7d8b91631737d2fa8bebdf7b5a2b4e663b6ef4351173d343c169a501355e648663937af9
- SSDEEP
  
  6144:bUiUB/1Zma7pcWZ3MgpqjhVwTwV0in0hQwIS/CXeufXWtLKXwO:b3yvFc8qNpLncQMYjfXW5KXwO
Score

1^/10
behavioral5 behavioral6
- Target
  
  Bandicam v4.5.6.1647 Portable by CheshireCat Ml_Rus - Copy/Bandicam v4.5.6.1647 Portable by CheshireCat/Bandicam_Portable.exe
- Size
  
  293KB
- MD5
  
  437d935559dc87ee1f24fd6aaf1830e3
- SHA1
  
  11dc7e269152a1c82998a4aa2cecbd2434f22471
- SHA256
  
  e178b55a0f433f45092275bb3d8ea30da6c375ce4dfaaa98a53b99ecd246e11f
- SHA512
  
  2e60ed6ac962979e8aa63787bbfbfaddf8007380f6fd807ea1df28fb0ad447a5d3857cc31a7081e1fa4e251d7e5ce530bd693680b0ab4c2ae398437d6a828495
- SSDEEP
  
  3072:cs77w1OlWUt1u98tBUWoGoZpct53dN3CzGiZef9bjR8LbV4xKem1l6mg99Ctg2sc:dmOPi8tuWo+3duGiEf9Xu3V44099eW3a
Score

3^/10
behavioral7 behavioral8
- Target
  
  Bandicam v4.5.6.1647 Portable by CheshireCat Ml_Rus - Copy/Bandicam v4.5.6.1647 Portable by CheshireCat/Bandicam_Portable_NonAdmin.exe
- Size
  
  138KB
- MD5
  
  3f7b7cd6882caa420856795eead6d23e
- SHA1
  
  5b7404cdc2761a936df55164ecae29dd17d7ff06
- SHA256
  
  0a0dd1b424a0315fb192789dbdad9445eeaac3f0a36e6ad35748a7cf8e7404a2
- SHA512
  
  7c82e7bdf0d48984d449b9b551131fb1a7b21efa7dca90b26781c3668075e0ebf6de5739aedce8c0cf474f91242e51f0f0ac1aa396aeaa0e16272fef1fe2cd72
- SSDEEP
  
  1536:AsC478MoCwvVrOlCLlUt1uYOfhWoQkejoHMG:As77w1OlWUt1uxfhWoGoX
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10 behavioral9
- Target
  
  Bandicam v4.5.6.1647 Portable by CheshireCat Ml_Rus - Copy/Bandicam/RegVulkanLayer.bat
- Size
  
  118B
- MD5
  
  b35e7d846a436bf1bc48b53125176f0b
- SHA1
  
  6e859c9374441da33fb404bff2041bbb6b068f23
- SHA256
  
  8198189537e866909dbeb383bb3ce43fec3351fe85ca8ddc8e9955193054f808
- SHA512
  
  00644acf7e72887e4dcc3e29a83362f17fd3f5338d640b0f85407f8ed173f4f3763e2a6e85dca3fdbad2495b90c3aa1761859bdfe539231b250e93ba504a56e2
Score

1^/10
behavioral11 behavioral12
- Target
  
  Bandicam v4.5.6.1647 Portable by CheshireCat Ml_Rus - Copy/Bandicam/UnregVulkanLayer.bat
- Size
  
  122B
- MD5
  
  13e241026906e9c49e8dcc436313dc55
- SHA1
  
  3d2c1fdb2e0166f915796569c6e4c04167aba9d3
- SHA256
  
  ec319ae952e4ffac8ff5edede7029050d53452a4df9bc026de3375ecfa983a44
- SHA512
  
  338fd96cad17b7f73328b9361a9a23da5c184c39a0fb185d772719daa2eb7abc268834fcba5cc2f0d6e6adf1b6364d3f7e59f9b330dba1ce769674cad295b0c7
Score

1^/10
behavioral13 behavioral14
- Target
  
  Bandicam v4.5.6.1647 Portable by CheshireCat Ml_Rus - Copy/Bandicam/bdcam.exe
- Size
  
  13.3MB
- MD5
  
  92ddc3a2b4690bb26b58265e7f04222c
- SHA1
  
  bbfbd1ff9d8e61b8fe2fb36f7e812e8fcfc8cf84
- SHA256
  
  62e136cd050d918798b211b69f68e4f00e5070adb95e28ee59c126b938cf235c
- SHA512
  
  0684d4fd06921675e39ec577301e2e21fb074b78b811375fb24421aef5bf26d98fe070ce85d4b9a7a91e90c0b22f485b25974829463a6229e15068c034ab0828
- SSDEEP
  
  196608:/jCTFKoquL+HdpNHwZYJFg/vHz93M7Jcc048382kCdkH6BqnSnm:/j2jHLEHiEg/vHY5QPdPA
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral15 behavioral16
- Target
  
  Bandicam v4.5.6.1647 Portable by CheshireCat Ml_Rus - Copy/Bandicam/bdcam32.bin
- Size
  
  2.1MB
- MD5
  
  241c3fd1afe7383f1f58d01469c5bc81
- SHA1
  
  3d56331e086e38155fc8040393d62f85f413e682
- SHA256
  
  99bd496969104414ca3195e58086f0edf8c7febf3dc115192a1b10c8c207f484
- SHA512
  
  3f0d47f7245322541b3360bd545e272dc9aaa739469396246dfa8338887bebddf6eeec2adb3f54435fff7177c117b948025a381de3e313011a807121e82289cc
- SSDEEP
  
  49152:BqWjvY30G2vEiiJZo8oo3AWLl8ZCIeHX3O4pv6vvi:BHrFtziJe8oo3AWx8ZCIeHX3O4pJ
Score

1^/10
behavioral17 behavioral18
- Target
  
  Bandicam v4.5.6.1647 Portable by CheshireCat Ml_Rus - Copy/Bandicam/bdcam32.dll
- Size
  
  19.1MB
- MD5
  
  4b359c0f8d7c8ec39951877f3835a98b
- SHA1
  
  72c026d73d11d84440a1d1a24236eb591b20f24c
- SHA256
  
  ee6de10061260fdd34036ad7e1c609e87bbda2a6e0e532124b2f72456331084c
- SHA512
  
  f6b9ee69ce4706ed27cbcf075b92f67de165f6470c9ad62fd57aca191a55076865b8b29d72ed1939d69c7b4b39c8f812bd105da09b9c26a966c58e277d96abae
- SSDEEP
  
  98304:D8gENxJceX8bee/aoU5XbgnoWUa1F0Ro3sQX8bee/pUT1bcwooWU1Evtpd+GsgPr:DYy1H3uF
Score

3^/10
behavioral19 behavioral20
- Target
  
  Bandicam v4.5.6.1647 Portable by CheshireCat Ml_Rus - Copy/Bandicam/bdcam64.bin
- Size
  
  409KB
- MD5
  
  11c665feab662a3303381a47fccdb955
- SHA1
  
  d8a109cfcbdec4afd5398074e1f16c36bece2024
- SHA256
  
  52ec04307bdd1d38032608381a10c38920fd439a8dba560592af8933582a734a
- SHA512
  
  0f2aa2b4f36ca5c98778570824f0c32e644eeafff2ba7ce2e35677f013255fec9008f8b5d3543d2e648f72a4f68a230c768814eae74572c7f00c4647fa7c6248
- SSDEEP
  
  12288:VNbieqjDU2C+C++pgkERIBMnRhVk9pGHNu4R2U2:L+DD31+pgkVQV1I472
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral21 behavioral22
- Target
  
  Bandicam v4.5.6.1647 Portable by CheshireCat Ml_Rus - Copy/Bandicam/bdcam64.dll
- Size
  
  21.2MB
- MD5
  
  a8eff289f9f222f61c06c4fad6197548
- SHA1
  
  e428a3e8289269ac9e97943c6c6da4a4f788d2f4
- SHA256
  
  2002ae1f401201d9c2898fcc6f3ca3f6b67321291f71a7ca4bd704088a040a54
- SHA512
  
  8fa3bdd1a15b5e965fc9ce11089b9159218e6473a133ff9441ac2dd4420eae4b7b02eb8d4b5aeeb65bafa01a33a7800a1a2e5d4c615822394adb69c0e988ec8e
- SSDEEP
  
  98304:IIGLJcU/8bAfda/bYLc8UoWoxEXtpdQnsQX8beePZUjBTnTQoW01E/tpq4xFfgSm:TGlvoqxMPRMYu
Score

1^/10
behavioral23 behavioral24
- Target
  
  Bandicam v4.5.6.1647 Portable by CheshireCat Ml_Rus - Copy/Bandicam/bdcam_admin.lnk
- Size
  
  1KB
- MD5
  
  896ed7def0a0d8bd9e82bd58e617f838
- SHA1
  
  84edb290c19a2dcb61cf9bcb43d3e4f9de691433
- SHA256
  
  311703958df6c4d6ea5fc7ed9602ba2b93e387bd1434e937f8d6f97a19e59208
- SHA512
  
  7fe8bb07ebffb6fb928bf9e9ec641a0e47338132885753dccb35188df82ee607324d6cbcd31a1b9c57829911a75a8cc2b15c5899b720fcb69d155fe09de1f382
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral25 behavioral26
- Target
  
  Bandicam v4.5.6.1647 Portable by CheshireCat Ml_Rus - Copy/Bandicam/bdcam_nonadmin.lnk
- Size
  
  1KB
- MD5
  
  4014b45cade9655f96e22486537338b8
- SHA1
  
  96dcc4c268064b62ab2b40f6c2617342e744c475
- SHA256
  
  913e1b7de6033ef8e6412f61c7e133b4ef2febfc395f672128640f9a5bf1696e
- SHA512
  
  86bf335e3f1534b3ee80b1b6a53c880454b75f1c9637881497784582995236cdc7ef83748e27e2f439048bb274264f84be9da99db65ebd996b23f69dfb347ed1
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral27 behavioral28
- Target
  
  Bandicam v4.5.6.1647 Portable by CheshireCat Ml_Rus - Copy/Bandicam/bdcam_safemode.lnk
- Size
  
  1KB
- MD5
  
  4db7c15e0077a8815d6f3d95dcfdd49a
- SHA1
  
  65c2cf0ccb3a3816e3ff1780d7b316c7ab1bc0e0
- SHA256
  
  28a4bebc6cfc126fc50a09c20a3c450aefd6990ca673158f89464b6841928024
- SHA512
  
  c8605996c4b2e5f38508126ca1513224d640ea3387b59ebae18c5b4285ff4059d60d851be32a663e0f1db625d88aca29866b4fa6eb69494c4b8045d8f1adab57
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral29 behavioral30
- Target
  
  Bandicam v4.5.6.1647 Portable by CheshireCat Ml_Rus - Copy/Bandicam/bdcamih.dll
- Size
  
  127KB
- MD5
  
  facfe2070816f8d6c8eb169af362bfb6
- SHA1
  
  ea2f1899bbf3ddfa87ac29f188b757f443729110
- SHA256
  
  558b4b23d7f6faeca52422c8e5037811a7fa8609bbc8964ca7011a69fbcd6d38
- SHA512
  
  1dd305a14a13217c397e89afa1a50e094d19ede859d72cff586dbf0abdcb11ae159f90200de8243f6cb320b8e2b040744501c4118dd9795c66c049ac88aebc9d
- SSDEEP
  
  3072:RKY4tBkbuTDOZf/2LQbOAOjzJiPWmATME5JAST/2njLhbC3G1DGRBtH3H3yrroo6:RL4UqTqt/2LYsjH3yvoo6
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Targets

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32