bandook | 051495d208bad010334f14c162600b66c7ef437ae3f6bd037e39bbfc4ccdb415

Resubmissions

27-06-2022 14:10

27-06-2022 14:08

Target

SOLICITUD DE COTIZACION_20D5.exe
Size

1.8MB
MD5

732717fb963205cdf2d23f4a177fcfcb
SHA1

f7bf9ce224c48c33208f896b1bc7b8b90f3accd1
SHA256

051495d208bad010334f14c162600b66c7ef437ae3f6bd037e39bbfc4ccdb415
SHA512

3761cbb98c804fd7194896249eb3545281dbc410f7a3e129be9dc5f29d2dd9f6bb730449c373b6179f363cbac45b40e500cb989762a31380b8fce57b5942cd6f

Score

10^/10

Bandook Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3732-133-0x0000000013140000-0x0000000013C75000-memory.dmp	family_bandook
behavioral2/memory/3732-134-0x0000000013140000-0x0000000013C75000-memory.dmp	family_bandook
behavioral2/memory/3732-135-0x0000000013140000-0x0000000013C75000-memory.dmp	family_bandook

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/3732-131-0x0000000013140000-0x0000000013C75000-memory.dmp	upx
behavioral2/memory/3732-132-0x0000000013140000-0x0000000013C75000-memory.dmp	upx
behavioral2/memory/3732-133-0x0000000013140000-0x0000000013C75000-memory.dmp	upx
behavioral2/memory/3732-134-0x0000000013140000-0x0000000013C75000-memory.dmp	upx
behavioral2/memory/3732-135-0x0000000013140000-0x0000000013C75000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msinfo32.exe

pid process

3732 msinfo32.exe
3732 msinfo32.exe

pid	process
3732	msinfo32.exe
3732	msinfo32.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

SOLICITUD DE COTIZACION_20D5.exe

description	pid	process	target process
PID 2548 wrote to memory of 3732	2548	SOLICITUD DE COTIZACION_20D5.exe	msinfo32.exe
PID 2548 wrote to memory of 3732	2548	SOLICITUD DE COTIZACION_20D5.exe	msinfo32.exe
PID 2548 wrote to memory of 3732	2548	SOLICITUD DE COTIZACION_20D5.exe	msinfo32.exe
PID 2548 wrote to memory of 3732	2548	SOLICITUD DE COTIZACION_20D5.exe	msinfo32.exe
PID 2548 wrote to memory of 3732	2548	SOLICITUD DE COTIZACION_20D5.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE COTIZACION_20D5.exe
"C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE COTIZACION_20D5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\windows\SysWOW64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3732

memory/3732-130-0x0000000000000000-mapping.dmp

Download
memory/3732-131-0x0000000013140000-0x0000000013C75000-memory.dmp

Filesize
11.2MB

Download
memory/3732-132-0x0000000013140000-0x0000000013C75000-memory.dmp

Filesize
11.2MB

Download
memory/3732-133-0x0000000013140000-0x0000000013C75000-memory.dmp

Filesize
11.2MB

Download
memory/3732-134-0x0000000013140000-0x0000000013C75000-memory.dmp

Filesize
11.2MB

Download
memory/3732-135-0x0000000013140000-0x0000000013C75000-memory.dmp

Filesize
11.2MB

Download