bandook | 646d385c9b7168e97199fd0557a1c22ac0c0eca724e7684bf74a524466933693

Analysis

max time kernel
253s
max time network
300s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-09-2022 13:56

Target

PAGOS CANCELADOS_27D.exe
Size

3.6MB
MD5

135e03400f15e6058085d0f867d6d0ef
SHA1

2d1e0d30426d68fecb1bbc52321df8b4c0e4363d
SHA256

646d385c9b7168e97199fd0557a1c22ac0c0eca724e7684bf74a524466933693
SHA512

ba86e3b65848fe33d94d9daec17bbf7c1077a4abf36fceee36eff6ad65b72e4e69b1b8cab093afed589428793555357b716128afcfc2afa75a317db874f779fe
SSDEEP

49152:FbU6bMuLV01edOnZIPaKPm6Q7m4bjuBFnhHK4i/59Cfev3DeVN2oTIO4f:FbnbMZ

Score

10^/10

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1584-62-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/1584-61-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/1584-63-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/1584-58-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1584-60-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1584-62-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1584-61-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1584-63-0x0000000013140000-0x0000000014009000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

msinfo32.exe

pid process

1584 msinfo32.exe

pid	process
1584	msinfo32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

PAGOS CANCELADOS_27D.exe

description	pid	process	target process
PID 1128 wrote to memory of 1584	1128	PAGOS CANCELADOS_27D.exe	msinfo32.exe
PID 1128 wrote to memory of 1584	1128	PAGOS CANCELADOS_27D.exe	msinfo32.exe
PID 1128 wrote to memory of 1584	1128	PAGOS CANCELADOS_27D.exe	msinfo32.exe
PID 1128 wrote to memory of 1584	1128	PAGOS CANCELADOS_27D.exe	msinfo32.exe
PID 1128 wrote to memory of 1584	1128	PAGOS CANCELADOS_27D.exe	msinfo32.exe
PID 1128 wrote to memory of 1584	1128	PAGOS CANCELADOS_27D.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\PAGOS CANCELADOS_27D.exe
"C:\Users\Admin\AppData\Local\Temp\PAGOS CANCELADOS_27D.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\windows\syswow64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1584

memory/1128-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1584-55-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1584-57-0x0000000000000000-mapping.dmp

Download
memory/1584-58-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1584-60-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1584-62-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1584-61-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1584-63-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download