bandook | cd154f108be279c059b94990062bce732143c791a0ed45f37b8580cab615a8fe

General

Target

1Cotizacion_Orden.exe
Size

4.4MB
MD5

977f1f35f0bd4875b819699fe4766f6a
SHA1

abdf999e4c411e2f8f9c7db35bc84de94eeef6dd
SHA256

cd154f108be279c059b94990062bce732143c791a0ed45f37b8580cab615a8fe
SHA512

388afdb5dc0946f8656cb082d961d7b372b43e4db126b487c40a2b4b7af1159bb7542fe0395e5d1940e0c0b51f341d601eb351121df56c6b48da0f2385a845f8
SSDEEP

49152:VxJPhlQg2pC3EDJqqX4nu32Gnez0wY3IzObmbHms+fNpqv98uTnUkcNVuV9zwu:VxTrh3E

Score

10^/10

bandook rat trojan upx

Malware Config

Extracted

Family

bandook

C2

bomes.ru

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1660-156-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral2/memory/1660-157-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral2/memory/1660-158-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral2/memory/1660-160-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral2/memory/1660-161-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral2/memory/1660-163-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral2/memory/1660-167-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1660-153-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/1660-154-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/1660-156-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/1660-157-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/1660-158-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/1660-160-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/1660-161-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/1660-163-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/1660-167-0x0000000013140000-0x0000000014009000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msinfo32.exe

pid process

1660 msinfo32.exe
1660 msinfo32.exe

pid	process
1660	msinfo32.exe
1660	msinfo32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1Cotizacion_Orden.exe

description	pid	process	target process
PID 2600 wrote to memory of 1660	2600	1Cotizacion_Orden.exe	msinfo32.exe
PID 2600 wrote to memory of 1660	2600	1Cotizacion_Orden.exe	msinfo32.exe
PID 2600 wrote to memory of 1660	2600	1Cotizacion_Orden.exe	msinfo32.exe
PID 2600 wrote to memory of 3184	2600	1Cotizacion_Orden.exe	1Cotizacion_Orden.exe
PID 2600 wrote to memory of 3184	2600	1Cotizacion_Orden.exe	1Cotizacion_Orden.exe
PID 2600 wrote to memory of 3184	2600	1Cotizacion_Orden.exe	1Cotizacion_Orden.exe
PID 2600 wrote to memory of 1660	2600	1Cotizacion_Orden.exe	msinfo32.exe
PID 2600 wrote to memory of 1660	2600	1Cotizacion_Orden.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\1Cotizacion_Orden.exe
"C:\Users\Admin\AppData\Local\Temp\1Cotizacion_Orden.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\windows\SysWOW64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1660

C:\Users\Admin\AppData\Local\Temp\1Cotizacion_Orden.exe
C:\Users\Admin\AppData\Local\Temp\1Cotizacion_Orden.exe ooooooooooooooo
2⤵
PID:3184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1660-160-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1660-156-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1660-154-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1660-167-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1660-163-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1660-161-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1660-158-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1660-157-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1660-153-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/2600-150-0x0000000000400000-0x0000000000869000-memory.dmp

Filesize
4.4MB

Download
memory/2600-149-0x0000000000400000-0x0000000000869000-memory.dmp

Filesize
4.4MB

Download
memory/2600-179-0x0000000000400000-0x0000000000869000-memory.dmp

Filesize
4.4MB

Download
memory/2600-155-0x0000000000400000-0x0000000000869000-memory.dmp

Filesize
4.4MB

Download
memory/2600-151-0x0000000000400000-0x0000000000869000-memory.dmp

Filesize
4.4MB

Download
memory/2600-134-0x0000000000400000-0x0000000000869000-memory.dmp

Filesize
4.4MB

Download
memory/2600-133-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2600-135-0x0000000000400000-0x0000000000869000-memory.dmp

Filesize
4.4MB

Download
memory/2600-137-0x0000000000400000-0x0000000000869000-memory.dmp

Filesize
4.4MB

Download
memory/2600-136-0x0000000000400000-0x0000000000869000-memory.dmp

Filesize
4.4MB

Download
memory/3184-166-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/3184-164-0x0000000000400000-0x0000000000869000-memory.dmp

Filesize
4.4MB

Download
memory/3184-170-0x0000000000400000-0x0000000000869000-memory.dmp

Filesize
4.4MB

Download
memory/3184-152-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads