bandook | f7ae58131380e4ad06855118232495f0cf94512d2c77fdea43439f6166ce9d15

Analysis

max time kernel
220s
max time network
272s
platform
windows7_x64
resource
win7-20220812-es
resource tags

arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows
submitted
03-10-2022 21:03

Target

LISTA DE PRECIOS.exe
Size

3.2MB
MD5

cf32d6086b1b371e37c72ab4d1bf3718
SHA1

159d9cc099e39cf1c6f78800f958cd6c9b6fd6ff
SHA256

809ac4767f634473d3a7fde8f76034a1d8ab30c0314dbf84782000247a15e636
SHA512

d49db48a9efbef6be586a91645d5743ec5a14564f1967ae0ea8469a243174f0f26fc7806b3725cc7bb42d6d4b916af09ab51bcc08967574eede72fab6ae6bc67
SSDEEP

49152:x+Laj3YA47J/EYIIMdsrDoiQzsf2JKoE+phed4nMRyn:ALAYAJ

Score

10^/10

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/668-61-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/668-62-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/668-63-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/668-58-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/668-60-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/668-61-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/668-62-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/668-63-0x0000000013140000-0x0000000014009000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

msinfo32.exe

pid process

668 msinfo32.exe

pid	process
668	msinfo32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

LISTA DE PRECIOS.exe

description	pid	process	target process
PID 1260 wrote to memory of 668	1260	LISTA DE PRECIOS.exe	msinfo32.exe
PID 1260 wrote to memory of 668	1260	LISTA DE PRECIOS.exe	msinfo32.exe
PID 1260 wrote to memory of 668	1260	LISTA DE PRECIOS.exe	msinfo32.exe
PID 1260 wrote to memory of 668	1260	LISTA DE PRECIOS.exe	msinfo32.exe
PID 1260 wrote to memory of 668	1260	LISTA DE PRECIOS.exe	msinfo32.exe
PID 1260 wrote to memory of 668	1260	LISTA DE PRECIOS.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\LISTA DE PRECIOS.exe
"C:\Users\Admin\AppData\Local\Temp\LISTA DE PRECIOS.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\windows\syswow64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:668

memory/668-55-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/668-57-0x0000000000000000-mapping.dmp

Download
memory/668-58-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/668-60-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/668-61-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/668-62-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/668-63-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1260-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download