bandook | 14fe82910c2f207c0d0af16adb78beb03b871289d92bfeb52e7d4814b075e126

Analysis

max time kernel
246s
max time network
267s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-02-2023 15:01

Target

Recibo de pago Banreserva.exe
Size

4.4MB
MD5

963dc44ec86b6f0e667716a4eafb63b1
SHA1

f487e173e2d8ef1c95d33fef82db94ddd2231e48
SHA256

14fe82910c2f207c0d0af16adb78beb03b871289d92bfeb52e7d4814b075e126
SHA512

6300c982b38242c3d591410672d6872b2e80d675acb421394b78b59f18e9e85c300e12e3bf7bddc82eb6aa86a5dd998064232c90c0c5d164a4c6055dab97cc2e
SSDEEP

49152:MxJPhRf0ewejGkahfiJWcSlAerZeWfEhiHECbFkt+aSj982TnUkcNVuV9zwu:MxTGeyk

Score

10^/10

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 2 IoCs

resource	yara_rule
behavioral1/memory/1396-63-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/1396-64-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1396-60-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1396-62-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1396-63-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1396-64-0x0000000013140000-0x0000000014009000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1396	msinfo32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1396	1940	Recibo de pago Banreserva.exe	27
PID 1940 wrote to memory of 1396	1940	Recibo de pago Banreserva.exe	27
PID 1940 wrote to memory of 1396	1940	Recibo de pago Banreserva.exe	27
PID 1940 wrote to memory of 1396	1940	Recibo de pago Banreserva.exe	27
PID 1940 wrote to memory of 1424	1940	Recibo de pago Banreserva.exe	28
PID 1940 wrote to memory of 1424	1940	Recibo de pago Banreserva.exe	28
PID 1940 wrote to memory of 1424	1940	Recibo de pago Banreserva.exe	28
PID 1940 wrote to memory of 1424	1940	Recibo de pago Banreserva.exe	28
PID 1940 wrote to memory of 1396	1940	Recibo de pago Banreserva.exe	27
PID 1940 wrote to memory of 1396	1940	Recibo de pago Banreserva.exe	27

C:\Users\Admin\AppData\Local\Temp\Recibo de pago Banreserva.exe
"C:\Users\Admin\AppData\Local\Temp\Recibo de pago Banreserva.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\windows\syswow64\msinfo32.exe
  C:\windows\syswow64\msinfo32.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1396
- C:\Users\Admin\AppData\Local\Temp\Recibo de pago Banreserva.exe
  "C:\Users\Admin\AppData\Local\Temp\Recibo de pago Banreserva.exe" ooooooooooooooo
  2⤵
  PID:1424

memory/1396-57-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1396-60-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1396-62-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1396-63-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1396-64-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1940-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download