bandook | 3405f9cd439a15d0192d0d5d57a0ddb8727c78b1d3543568a582b1db45b35aae

Analysis

max time kernel
252s
max time network
255s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-09-2022 06:57

Target

ORDEN DE COMPRAS_26J.exe
Size

3.6MB
MD5

38fae3855997c9a49e658fa69fc1819f
SHA1

9ea93e76929980b71503e368dd4925d7f5f0e01e
SHA256

3405f9cd439a15d0192d0d5d57a0ddb8727c78b1d3543568a582b1db45b35aae
SHA512

bd4e7ee1b54bf58bbafeb51c87916a28b1d965c1fb8790934bdd2160bf63107d879c256f0565dc647f33679ff241ad7b72b4e0e9c362e06db53ed44b4657835f
SSDEEP

49152:ZbU6bxhLt0sQfnKffkWuBo5QS87U96+exkPQ5NTZ0vVYkh6:Zbnbx6N/

Score

10^/10

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1716-61-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/1716-62-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/1716-58-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1716-60-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1716-61-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1716-62-0x0000000013140000-0x0000000014009000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

msinfo32.exe

pid process

1716 msinfo32.exe

pid	process
1716	msinfo32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ORDEN DE COMPRAS_26J.exe

description	pid	process	target process
PID 1912 wrote to memory of 1716	1912	ORDEN DE COMPRAS_26J.exe	msinfo32.exe
PID 1912 wrote to memory of 1716	1912	ORDEN DE COMPRAS_26J.exe	msinfo32.exe
PID 1912 wrote to memory of 1716	1912	ORDEN DE COMPRAS_26J.exe	msinfo32.exe
PID 1912 wrote to memory of 1716	1912	ORDEN DE COMPRAS_26J.exe	msinfo32.exe
PID 1912 wrote to memory of 1716	1912	ORDEN DE COMPRAS_26J.exe	msinfo32.exe
PID 1912 wrote to memory of 1716	1912	ORDEN DE COMPRAS_26J.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRAS_26J.exe
"C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRAS_26J.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\windows\syswow64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1716

memory/1716-55-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1716-57-0x0000000000000000-mapping.dmp

Download
memory/1716-58-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1716-60-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1716-61-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1716-62-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1912-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download