bandook | 3405f9cd439a15d0192d0d5d57a0ddb8727c78b1d3543568a582b1db45b35aae

Analysis

max time kernel
232s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2022 06:57

Target

ORDEN DE COMPRAS_26J.exe
Size

3.6MB
MD5

38fae3855997c9a49e658fa69fc1819f
SHA1

9ea93e76929980b71503e368dd4925d7f5f0e01e
SHA256

3405f9cd439a15d0192d0d5d57a0ddb8727c78b1d3543568a582b1db45b35aae
SHA512

bd4e7ee1b54bf58bbafeb51c87916a28b1d965c1fb8790934bdd2160bf63107d879c256f0565dc647f33679ff241ad7b72b4e0e9c362e06db53ed44b4657835f
SSDEEP

49152:ZbU6bxhLt0sQfnKffkWuBo5QS87U96+exkPQ5NTZ0vVYkh6:Zbnbx6N/

Score

10^/10

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1340-135-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral2/memory/1340-136-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral2/memory/1340-137-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/1340-133-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/1340-134-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/1340-135-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/1340-136-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/1340-137-0x0000000013140000-0x0000000014009000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msinfo32.exe

pid process

1340 msinfo32.exe
1340 msinfo32.exe

pid	process
1340	msinfo32.exe
1340	msinfo32.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

ORDEN DE COMPRAS_26J.exe

description	pid	process	target process
PID 1100 wrote to memory of 1340	1100	ORDEN DE COMPRAS_26J.exe	msinfo32.exe
PID 1100 wrote to memory of 1340	1100	ORDEN DE COMPRAS_26J.exe	msinfo32.exe
PID 1100 wrote to memory of 1340	1100	ORDEN DE COMPRAS_26J.exe	msinfo32.exe
PID 1100 wrote to memory of 1340	1100	ORDEN DE COMPRAS_26J.exe	msinfo32.exe
PID 1100 wrote to memory of 1340	1100	ORDEN DE COMPRAS_26J.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRAS_26J.exe
"C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRAS_26J.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\windows\SysWOW64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1340

memory/1340-132-0x0000000000000000-mapping.dmp

Download
memory/1340-133-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1340-134-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1340-135-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1340-136-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1340-137-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download