Static task
static1
Behavioral task
behavioral1
Sample
13140000.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
13140000.exe
Resource
win10v2004-20220414-en
General
-
Target
13140000.exe
-
Size
10.3MB
-
MD5
80b58f43feb6e5b04250961c86e9e891
-
SHA1
bcd22b9e345da4d845b61c20aa429d713a307354
-
SHA256
0a4e59d0906316f0476dd5463ae6b93bb4a98211ff119f267b7320f13960bd47
-
SHA512
8536f888d70638ef5ae94b8d8e7e78b5a0c92a122d9a13563a4467602283f0d17f777acc385f820c15ceca755d3ed769b17ed82df80ea84d479c3cf9e1b1dffe
-
SSDEEP
3072:qNzpXxwk7lubiI4gK/3vAGkYWV33d2Sr:GxxMBJm
Malware Config
Signatures
-
Bandook Payload 1 IoCs
Processes:
resource yara_rule sample family_bandook -
Bandook family
Files
-
13140000.exe.exe windows x86
f00e9662f410244a50158d29a8e78a29
Headers
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
Imports
kernel32
DeleteFileA
GetModuleFileNameA
lstrlenA
SetLastError
HeapAlloc
GetProcessHeap
HeapFree
GetShortPathNameA
CreateDirectoryA
GetFileInformationByHandle
GetSystemDirectoryA
LocalFree
Process32Next
lstrcmpiA
Process32First
GetModuleHandleA
GetLastError
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
Process32NextW
Module32FirstW
Process32FirstW
VirtualAlloc
VirtualProtect
VirtualFree
IsBadReadPtr
FreeLibrary
GetProcAddress
GetStartupInfoA
MoveFileW
GetCurrentProcessId
CreateDirectoryW
DeleteFileW
WriteFile
GetComputerNameW
GetLocaleInfoA
SetFilePointer
FileTimeToSystemTime
FindNextFileW
GetLogicalDriveStringsA
GetDriveTypeA
FindNextFileA
ExitThread
ReadFile
GetCurrentProcess
CreateFileW
CreateFileA
GetFileSize
FindFirstFileW
FindFirstFileA
FindClose
GetSystemTime
GetDateFormatA
ExitProcess
LoadLibraryA
QueryPerformanceFrequency
QueryPerformanceCounter
GetVersionExA
WideCharToMultiByte
MultiByteToWideChar
OpenProcess
TerminateProcess
TerminateThread
CreateThread
GetTickCount
CloseHandle
Sleep
CreateMutexA
WaitForSingleObject
CreateToolhelp32Snapshot
user32
GetForegroundWindow
GetActiveWindow
SetCursorPos
mouse_event
GetWindowTextW
GetWindowPlacement
IsWindowVisible
EnumWindows
ShowWindow
SendMessageA
ExitWindowsEx
GetLastInputInfo
wsprintfA
GetDC
ReleaseDC
gdi32
BitBlt
SelectObject
CreateCompatibleBitmap
CreateCompatibleDC
CreateDIBSection
GetDeviceCaps
CreateDCA
DeleteObject
GetDIBits
SelectPalette
GetStockObject
GetObjectA
DeleteDC
RealizePalette
advapi32
OpenProcessToken
GetTokenInformation
AllocateAndInitializeSid
EqualSid
FreeSid
RegOpenKeyExA
RegDeleteValueA
RegOpenKeyA
RegQueryValueExA
RegCreateKeyExA
RegSetValueExA
RegCloseKey
GetUserNameW
LookupPrivilegeValueA
AdjustTokenPrivileges
GetSecurityInfo
GetUserNameA
SetEntriesInAclA
SetSecurityInfo
GetLengthSid
GetSidSubAuthorityCount
CopySid
IsValidSid
GetSidIdentifierAuthority
GetSidSubAuthority
shell32
SHFileOperationW
SHGetSpecialFolderPathA
StrStrIA
ShellExecuteA
ShellExecuteExA
SHFileOperationA
ShellExecuteW
ws2_32
shutdown
closesocket
inet_addr
__WSAFDIsSet
recv
gethostbyname
select
send
WSACleanup
connect
socket
htons
WSAStartup
getsockname
msvcrt
_strcmpi
srand
free
realloc
fopen
printf
fread
fclose
strstr
swprintf
wcscmp
wcslen
memcpy
strcat
strncpy
??3@YAXPAX@Z
malloc
??2@YAPAXI@Z
__CxxFrameHandler
memset
strcpy
strtok
strcmp
wcscpy
sprintf
_stricmp
rand
atoi
clock
strlen
avicap32
capGetDriverDescriptionW
wininet
InternetOpenUrlA
InternetCloseHandle
InternetReadFile
InternetOpenA
shlwapi
PathFindFileNameA
SHDeleteKeyA
mpr
WNetEnumResourceW
WNetOpenEnumW
WNetCloseEnum
Sections
.text Size: 88KB - Virtual size: 88KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 8KB - Virtual size: 8KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 10.2MB - Virtual size: 10.2MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE