bandook | df98652a71de6673d479e851062625876b214b4a2d13c3ff75390bab9a342fc6

Analysis

max time kernel
217s
max time network
320s
platform
windows7_x64
resource
win7-20221111-es
resource tags

arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows
submitted
07-12-2022 18:14

Target

Recibo Pago_01.exe
Size

2.6MB
MD5

b878881a2185be9eaa1ea8e0dd110928
SHA1

f5d02789571a0e77df546cd8b9a7961d8a6d6492
SHA256

adf598b6e18cc87cdfd38b309e2107054143b6078827878aaa280a30256b5d4e
SHA512

9390674a0c3d69af48f6509ab0b37616270d1d370270de137faf3e35e6c33b4e8ef518ba0fbed4859c063b32bcb6660cab424282b6e9fc84e6451fa17dd8a8b9
SSDEEP

24576:PQvIbnxx7gup2pm/+yS5ksdokLm0Nnc9EMiqQmH7zWfDzgWPo/+OxhirK6rQinxu:PG27lSvCkDcnbKfDzl00rtkaYnZtQ3By

Score

10^/10

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1668-64-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral3/memory/1668-65-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral3/memory/1668-59-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral3/memory/1668-63-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral3/memory/1668-64-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral3/memory/1668-65-0x0000000013140000-0x0000000014009000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

Recibo Pago_01.exe

description pid process target process

PID 956 set thread context of 1668 956 Recibo Pago_01.exe msinfo32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

msinfo32.exe

pid process

1668 msinfo32.exe

description	pid	process	target process
PID 956 set thread context of 1668	956	Recibo Pago_01.exe	msinfo32.exe

pid	process
1668	msinfo32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Recibo Pago_01.exe

description	pid	process	target process
PID 956 wrote to memory of 1668	956	Recibo Pago_01.exe	msinfo32.exe
PID 956 wrote to memory of 1668	956	Recibo Pago_01.exe	msinfo32.exe
PID 956 wrote to memory of 1668	956	Recibo Pago_01.exe	msinfo32.exe
PID 956 wrote to memory of 1668	956	Recibo Pago_01.exe	msinfo32.exe
PID 956 wrote to memory of 884	956	Recibo Pago_01.exe	Recibo Pago_01.exe
PID 956 wrote to memory of 884	956	Recibo Pago_01.exe	Recibo Pago_01.exe
PID 956 wrote to memory of 884	956	Recibo Pago_01.exe	Recibo Pago_01.exe
PID 956 wrote to memory of 884	956	Recibo Pago_01.exe	Recibo Pago_01.exe
PID 956 wrote to memory of 1668	956	Recibo Pago_01.exe	msinfo32.exe
PID 956 wrote to memory of 1668	956	Recibo Pago_01.exe	msinfo32.exe

C:\windows\syswow64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Users\Admin\AppData\Local\Temp\Recibo Pago_01.exe
"C:\Users\Admin\AppData\Local\Temp\Recibo Pago_01.exe" dkddkdkkdkdd ddd
2⤵
PID:884

memory/884-55-0x0000000000000000-mapping.dmp

Download
memory/956-54-0x0000000075461000-0x0000000075463000-memory.dmp

Filesize
8KB

Download
memory/1668-57-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1668-60-0x0000000013FF6790-mapping.dmp

Download
memory/1668-59-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1668-63-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1668-64-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1668-65-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download