bandook | 4136b980fcb12ab481555721ab307d6ec3c5b3e775e728561490078f869fed52

Analysis

max time kernel
295s
max time network
306s
platform
windows7_x64
resource
win7-20220718-es
resource tags

arch:x64arch:x86image:win7-20220718-eslocale:es-esos:windows7-x64systemwindows
submitted
10-08-2022 21:29

Target

XKS.exe
Size

1.8MB
MD5

f43da7a7ea38479b025c754a09ec10ed
SHA1

5a6c17f037e7db6c512d351d763ab01a8f944bdc
SHA256

4136b980fcb12ab481555721ab307d6ec3c5b3e775e728561490078f869fed52
SHA512

9a03d153d2cf69e2c2917c9efbcfe5907133f7d429369752d018d7893402fe640d09cd00f50f50ded95c4e776d1636ab6e84c5d2838545cb4773c270a8927025

Score

10^/10

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1904-61-0x0000000013140000-0x0000000013C7D000-memory.dmp	family_bandook
behavioral1/memory/1904-62-0x0000000013140000-0x0000000013C7D000-memory.dmp	family_bandook

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/1904-58-0x0000000013140000-0x0000000013C7D000-memory.dmp	upx
behavioral1/memory/1904-60-0x0000000013140000-0x0000000013C7D000-memory.dmp	upx
behavioral1/memory/1904-61-0x0000000013140000-0x0000000013C7D000-memory.dmp	upx
behavioral1/memory/1904-62-0x0000000013140000-0x0000000013C7D000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

msinfo32.exe

pid process

1904 msinfo32.exe

pid	process
1904	msinfo32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

XKS.exe

description	pid	process	target process
PID 1108 wrote to memory of 1904	1108	XKS.exe	msinfo32.exe
PID 1108 wrote to memory of 1904	1108	XKS.exe	msinfo32.exe
PID 1108 wrote to memory of 1904	1108	XKS.exe	msinfo32.exe
PID 1108 wrote to memory of 1904	1108	XKS.exe	msinfo32.exe
PID 1108 wrote to memory of 1904	1108	XKS.exe	msinfo32.exe
PID 1108 wrote to memory of 1904	1108	XKS.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\XKS.exe
"C:\Users\Admin\AppData\Local\Temp\XKS.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\windows\syswow64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904

memory/1108-54-0x0000000076631000-0x0000000076633000-memory.dmp

Filesize
8KB

Download
memory/1904-55-0x0000000013140000-0x0000000013C7D000-memory.dmp

Filesize
11.2MB

Download
memory/1904-57-0x0000000000000000-mapping.dmp

Download
memory/1904-58-0x0000000013140000-0x0000000013C7D000-memory.dmp

Filesize
11.2MB

Download
memory/1904-60-0x0000000013140000-0x0000000013C7D000-memory.dmp

Filesize
11.2MB

Download
memory/1904-61-0x0000000013140000-0x0000000013C7D000-memory.dmp

Filesize
11.2MB

Download
memory/1904-62-0x0000000013140000-0x0000000013C7D000-memory.dmp

Filesize
11.2MB

Download