bandook | a374e41c655e55e462fa0ec239301867759a9bb8a622bb7f07e2bde0ad2dc394

Analysis

max time kernel
1602s
max time network
1783s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-09-2022 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAGO AL INSTANTE LBTR 21-09-2022_B(1)/PAGO AL INSTANTE LBTR 21-09-2022_B.exe
Size

3.0MB
MD5

a986715bc03da3613fa1e63e3a2a38f6
SHA1

75c1c48a018cc8c63f154da2d81f4949beb30bb3
SHA256

83c24c9bca7a2e2ca9b00bfd5b2b04c464d90ba24d23f0d708ba56578ca8e3b7
SHA512

161f2c91ee9ddb203904b94a7087c4e1193ded81cee77fa09e66fe6b1ee3beca188b214efb53ffb6a62f51e8cf452b185ef35169ea6a8335b94c6bf28a90a6ad
SSDEEP

49152:BUUcMvybmbLj+JrHJk3OVcRDjHrCTny8ciBMsRl1djm:BF

Score

10^/10

bandook persistence rat trojan upx

Malware Config

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1804-61-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/1804-62-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/1228-70-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/1228-71-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1804-58-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1804-60-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1804-61-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1804-62-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1228-70-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1228-71-0x0000000013140000-0x0000000014009000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msinfo32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	msinfo32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\KCXI = "C:\\Users\\Admin\\AppData\\Roaming\\KCXI\\KCXI.exe"	msinfo32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

msinfo32.exe

pid process

1804 msinfo32.exe

pid	process
1804	msinfo32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PAGO AL INSTANTE LBTR 21-09-2022_B.exe

description	pid	process	target process
PID 1476 wrote to memory of 1804	1476	PAGO AL INSTANTE LBTR 21-09-2022_B.exe	msinfo32.exe
PID 1476 wrote to memory of 1804	1476	PAGO AL INSTANTE LBTR 21-09-2022_B.exe	msinfo32.exe
PID 1476 wrote to memory of 1804	1476	PAGO AL INSTANTE LBTR 21-09-2022_B.exe	msinfo32.exe
PID 1476 wrote to memory of 1804	1476	PAGO AL INSTANTE LBTR 21-09-2022_B.exe	msinfo32.exe
PID 1476 wrote to memory of 1804	1476	PAGO AL INSTANTE LBTR 21-09-2022_B.exe	msinfo32.exe
PID 1476 wrote to memory of 1804	1476	PAGO AL INSTANTE LBTR 21-09-2022_B.exe	msinfo32.exe
PID 1476 wrote to memory of 1228	1476	PAGO AL INSTANTE LBTR 21-09-2022_B.exe	msinfo32.exe
PID 1476 wrote to memory of 1228	1476	PAGO AL INSTANTE LBTR 21-09-2022_B.exe	msinfo32.exe
PID 1476 wrote to memory of 1228	1476	PAGO AL INSTANTE LBTR 21-09-2022_B.exe	msinfo32.exe
PID 1476 wrote to memory of 1228	1476	PAGO AL INSTANTE LBTR 21-09-2022_B.exe	msinfo32.exe
PID 1476 wrote to memory of 1228	1476	PAGO AL INSTANTE LBTR 21-09-2022_B.exe	msinfo32.exe
PID 1476 wrote to memory of 1228	1476	PAGO AL INSTANTE LBTR 21-09-2022_B.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\PAGO AL INSTANTE LBTR 21-09-2022_B(1)\PAGO AL INSTANTE LBTR 21-09-2022_B.exe
"C:\Users\Admin\AppData\Local\Temp\PAGO AL INSTANTE LBTR 21-09-2022_B(1)\PAGO AL INSTANTE LBTR 21-09-2022_B.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\windows\syswow64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1804

C:\windows\syswow64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Adds Run key to start application
PID:1228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1228-65-0x0000000000000000-mapping.dmp

Download
memory/1228-70-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1228-71-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1476-54-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1804-55-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1804-57-0x0000000000000000-mapping.dmp

Download
memory/1804-58-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1804-60-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1804-61-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1804-62-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download