bandook | 1a2ff4a809b5a3757eaa05dc362acb2b227a7d02cb13d74c17d850d44181cf04

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-02-2023 12:32

Target

1a2ff4a809b5a3757eaa05dc362acb2b227a7d02cb13d74c17d850d44181cf04.exe
Size

4.5MB
MD5

10188c31ac960f60430b166d3d12b07b
SHA1

3ff77fb2fa2b4b2c3e519947d8722d22c882cbde
SHA256

1a2ff4a809b5a3757eaa05dc362acb2b227a7d02cb13d74c17d850d44181cf04
SHA512

6f22a7277c27d4aa41f18af23400bd0416ee272aaf6380fa27c620a7200c601c61eae286ab4927b21f2cf4979289580d9252cd2527772cc11ce3f752efba4c05
SSDEEP

98304:Ny8dhpdcOxS1zarMeCwmCeMQeRaCNEKpQ0wpa5SwTaPlaEfdahqN6lNwWug7wKe5:gfzarMeCwmCeMQeRaCNEKpQ0wpa5SwTq

Score

10^/10

bandook rat trojan

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2044-54-0x0000000013140000-0x0000000013FF5000-memory.dmp	family_bandook

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1668 2044 WerFault.exe 1a2ff4a809b5a3757eaa05dc362acb2b227a7d02cb13d74c17d850d44181cf04.exe

pid	pid_target	process	target process
1668	2044	WerFault.exe	1a2ff4a809b5a3757eaa05dc362acb2b227a7d02cb13d74c17d850d44181cf04.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1a2ff4a809b5a3757eaa05dc362acb2b227a7d02cb13d74c17d850d44181cf04.exe

description	pid	process	target process
PID 2044 wrote to memory of 1668	2044	1a2ff4a809b5a3757eaa05dc362acb2b227a7d02cb13d74c17d850d44181cf04.exe	WerFault.exe
PID 2044 wrote to memory of 1668	2044	1a2ff4a809b5a3757eaa05dc362acb2b227a7d02cb13d74c17d850d44181cf04.exe	WerFault.exe
PID 2044 wrote to memory of 1668	2044	1a2ff4a809b5a3757eaa05dc362acb2b227a7d02cb13d74c17d850d44181cf04.exe	WerFault.exe
PID 2044 wrote to memory of 1668	2044	1a2ff4a809b5a3757eaa05dc362acb2b227a7d02cb13d74c17d850d44181cf04.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1a2ff4a809b5a3757eaa05dc362acb2b227a7d02cb13d74c17d850d44181cf04.exe
"C:\Users\Admin\AppData\Local\Temp\1a2ff4a809b5a3757eaa05dc362acb2b227a7d02cb13d74c17d850d44181cf04.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 200
2⤵
- Program crash
PID:1668

memory/2044-54-0x0000000013140000-0x0000000013FF5000-memory.dmp

Filesize
14.7MB

Download