bandook | cfa35f5cb3216c093bae6a297412f5380cae5ab364d22b869fb62ec802e0fc90

Analysis

max time kernel
274s
max time network
279s
platform
windows10-2004_x64
resource
win10v2004-20220812-es
resource tags

arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
09-11-2022 01:39

Target

Comprobante_screen07.exe
Size

3.6MB
MD5

fc9114d9a22658d97865640a45ba2391
SHA1

f0fe9474e33ba87e3c2f76ec9d90b771be5ab9ec
SHA256

cadd1d332c9a7c1228f57d9b057fdd332062a1e4423638132916c4e09ef8e88c
SHA512

f1da0a6a00fe32b65893b69ffb8298c53e15e41654adc564190536da0e867d24e7b3d5727623eea1144cd121699ec3dc9e165eb398ec64dd2be435ca02a3297f
SSDEEP

49152:bVh1ySLOEITk/FSidOM445iJHbFK8dZuiLr0+nOreUVpoXC9cAXegH:bV/yqJzH

Score

10^/10

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3984-136-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral2/memory/3984-137-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral2/memory/3984-138-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/3984-134-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/3984-135-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/3984-136-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/3984-137-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/3984-138-0x0000000013140000-0x0000000014009000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msinfo32.exe

pid process

3984 msinfo32.exe
3984 msinfo32.exe

pid	process
3984	msinfo32.exe
3984	msinfo32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Comprobante_screen07.exe

description	pid	process	target process
PID 2576 wrote to memory of 3984	2576	Comprobante_screen07.exe	msinfo32.exe
PID 2576 wrote to memory of 3984	2576	Comprobante_screen07.exe	msinfo32.exe
PID 2576 wrote to memory of 3984	2576	Comprobante_screen07.exe	msinfo32.exe
PID 2576 wrote to memory of 4136	2576	Comprobante_screen07.exe	Comprobante_screen07.exe
PID 2576 wrote to memory of 4136	2576	Comprobante_screen07.exe	Comprobante_screen07.exe
PID 2576 wrote to memory of 4136	2576	Comprobante_screen07.exe	Comprobante_screen07.exe
PID 2576 wrote to memory of 3984	2576	Comprobante_screen07.exe	msinfo32.exe
PID 2576 wrote to memory of 3984	2576	Comprobante_screen07.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\Comprobante_screen07.exe
"C:\Users\Admin\AppData\Local\Temp\Comprobante_screen07.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\windows\SysWOW64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\Users\Admin\AppData\Local\Temp\Comprobante_screen07.exe
C:\Users\Admin\AppData\Local\Temp\Comprobante_screen07.exe dkddkdkkdkdd ddd
2⤵
PID:4136

memory/3984-133-0x0000000000000000-mapping.dmp

Download
memory/3984-134-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/3984-135-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/3984-136-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/3984-137-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/3984-138-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/4136-132-0x0000000000000000-mapping.dmp

Download