bandook | da247cdd6339b21243957a65344c6488977c0d766899d12aacb356a3521ec6fc

Analysis

max time kernel
306s
max time network
312s
platform
windows10-1703_x64
resource
win10-20220901-es
resource tags

arch:x64arch:x86image:win10-20220901-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
30-11-2022 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

COMUNICADO VLN0000785623.exe
Size

3.0MB
MD5

4393d9f020cf74a1b99e978105f8e44d
SHA1

b670410725dad081b941a5e143e9aa8d6ca9e989
SHA256

da247cdd6339b21243957a65344c6488977c0d766899d12aacb356a3521ec6fc
SHA512

488407723211efdbf4c602d541ca771a3813e1c41f23a4581cde761aab76120d42f6a4afc38daf7e15da8f2c271d519b043b6d1b7d543ea61a34463ef8bc1f3f
SSDEEP

49152:rJaBAeV/mZKTMrIE4kFY0qpxG4VBdn7npKCOydj:rJaB1e8j

Score

10^/10

bandook rat trojan upx

Malware Config

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3616-251-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/3616-252-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3616-251-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/3616-252-0x0000000013140000-0x0000000014009000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

COMUNICADO VLN0000785623.exe

description pid process target process

PID 2616 set thread context of 3616 2616 COMUNICADO VLN0000785623.exe msinfo32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msinfo32.exe

pid process

3616 msinfo32.exe
3616 msinfo32.exe

description	pid	process	target process
PID 2616 set thread context of 3616	2616	COMUNICADO VLN0000785623.exe	msinfo32.exe

pid	process
3616	msinfo32.exe
3616	msinfo32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

COMUNICADO VLN0000785623.exe

description	pid	process	target process
PID 2616 wrote to memory of 3616	2616	COMUNICADO VLN0000785623.exe	msinfo32.exe
PID 2616 wrote to memory of 3616	2616	COMUNICADO VLN0000785623.exe	msinfo32.exe
PID 2616 wrote to memory of 3616	2616	COMUNICADO VLN0000785623.exe	msinfo32.exe
PID 2616 wrote to memory of 3172	2616	COMUNICADO VLN0000785623.exe	COMUNICADO VLN0000785623.exe
PID 2616 wrote to memory of 3172	2616	COMUNICADO VLN0000785623.exe	COMUNICADO VLN0000785623.exe
PID 2616 wrote to memory of 3172	2616	COMUNICADO VLN0000785623.exe	COMUNICADO VLN0000785623.exe
PID 2616 wrote to memory of 3616	2616	COMUNICADO VLN0000785623.exe	msinfo32.exe
PID 2616 wrote to memory of 3616	2616	COMUNICADO VLN0000785623.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\COMUNICADO VLN0000785623.exe
"C:\Users\Admin\AppData\Local\Temp\COMUNICADO VLN0000785623.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2616

C:\windows\syswow64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3616

C:\Users\Admin\AppData\Local\Temp\COMUNICADO VLN0000785623.exe
"C:\Users\Admin\AppData\Local\Temp\COMUNICADO VLN0000785623.exe" dkddkdkkdkdd ddd
2⤵
PID:3172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2616-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2616-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-158-0x0000000000000000-mapping.dmp

Download
memory/3172-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3616-189-0x0000000013FF67A0-mapping.dmp

Download
memory/3616-251-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/3616-252-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download