bandook | e2e984b3044ab8f96ec284dc2af339923fb6cdded37a551125c899a1c60376a3

Analysis

max time kernel
291s
max time network
291s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2023 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solicitud de comprá.exe
Size

4.6MB
MD5

795d1f81ac926d3e071eacef70e595c1
SHA1

73301458ce9c775e6416fbe9f1921ecc4f69d099
SHA256

e2e984b3044ab8f96ec284dc2af339923fb6cdded37a551125c899a1c60376a3
SHA512

c436fd1ebc99d384c434e2b6b6494fefa7f18ccae6de755491ae03b234b6f08fcb616a5a60e89b6e80356cbf00c39ddc8e350e6bad8f23285498a906b9df5a85
SSDEEP

49152:nvPLNuoyGZVhMfUhJKehyrNru0bqMpjgK9aSN6wtiGe50oO6z7YYA698nTnUkcNW:nvPRBIsTKehy3

Score

10^/10

bandook rat trojan upx

Malware Config

Extracted

Family

bandook

gombos.ru

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1416-156-0x0000000013140000-0x000000001400A000-memory.dmp	family_bandook
behavioral2/memory/1416-157-0x0000000013140000-0x000000001400A000-memory.dmp	family_bandook
behavioral2/memory/1416-158-0x0000000013140000-0x000000001400A000-memory.dmp	family_bandook
behavioral2/memory/1416-159-0x0000000013140000-0x000000001400A000-memory.dmp	family_bandook
behavioral2/memory/1416-160-0x0000000013140000-0x000000001400A000-memory.dmp	family_bandook
behavioral2/memory/1416-162-0x0000000013140000-0x000000001400A000-memory.dmp	family_bandook
behavioral2/memory/1416-164-0x0000000013140000-0x000000001400A000-memory.dmp	family_bandook
behavioral2/memory/1416-166-0x0000000013140000-0x000000001400A000-memory.dmp	family_bandook

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1416-153-0x0000000013140000-0x000000001400A000-memory.dmp	upx
behavioral2/memory/1416-154-0x0000000013140000-0x000000001400A000-memory.dmp	upx
behavioral2/memory/1416-156-0x0000000013140000-0x000000001400A000-memory.dmp	upx
behavioral2/memory/1416-157-0x0000000013140000-0x000000001400A000-memory.dmp	upx
behavioral2/memory/1416-158-0x0000000013140000-0x000000001400A000-memory.dmp	upx
behavioral2/memory/1416-159-0x0000000013140000-0x000000001400A000-memory.dmp	upx
behavioral2/memory/1416-160-0x0000000013140000-0x000000001400A000-memory.dmp	upx
behavioral2/memory/1416-162-0x0000000013140000-0x000000001400A000-memory.dmp	upx
behavioral2/memory/1416-164-0x0000000013140000-0x000000001400A000-memory.dmp	upx
behavioral2/memory/1416-166-0x0000000013140000-0x000000001400A000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msinfo32.exe

pid process

1416 msinfo32.exe
1416 msinfo32.exe

pid	process
1416	msinfo32.exe
1416	msinfo32.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Solicitud de comprá.exe

description	pid	process	target process
PID 2464 wrote to memory of 1416	2464	Solicitud de comprá.exe	msinfo32.exe
PID 2464 wrote to memory of 1416	2464	Solicitud de comprá.exe	msinfo32.exe
PID 2464 wrote to memory of 1416	2464	Solicitud de comprá.exe	msinfo32.exe
PID 2464 wrote to memory of 1416	2464	Solicitud de comprá.exe	msinfo32.exe
PID 2464 wrote to memory of 1416	2464	Solicitud de comprá.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\Solicitud de comprá.exe
"C:\Users\Admin\AppData\Local\Temp\Solicitud de comprá.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2464

C:\windows\SysWOW64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1416-156-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1416-166-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1416-164-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1416-162-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1416-160-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1416-159-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1416-158-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1416-157-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1416-153-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1416-154-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/2464-150-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/2464-155-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/2464-152-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/2464-151-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/2464-133-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/2464-138-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/2464-136-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/2464-135-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/2464-134-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/2464-172-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download