bandook | c7b44c11a21fd0de396590e3a9c704477ec55fa81fea002f7134131256f9e6a4

General

Target

ORDEN_DE_PEDIDO.exe
Size

3.2MB
MD5

73121e22d29f8c1e7dc8812d8c704bf1
SHA1

ea6e1db1c3487d7adf490f3b4c62041443509b0b
SHA256

c7b44c11a21fd0de396590e3a9c704477ec55fa81fea002f7134131256f9e6a4
SHA512

db382e1e446f6bdb471a7b0e3e28c489686937d673b2e7c14a882838493f5924eeb6d3dc919838cac7699fc39a3a7a378ff651a67edeec4a843640719a7693a4
SSDEEP

24576:NnwuSOoLI7bugMt4K33Q3UEQDdrV3XgPz4Tgfe0ybZdF7W1TaPrs+r+Ij1q9SWAe:Nb+zL4DQdgkUTw/UWPmfT5zzeFC98u

Score

10^/10

bandook rat trojan upx

Malware Config

Extracted

Family

bandook

C2

deapproved.ru

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1088-80-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/1088-81-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/1088-92-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/1088-93-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/1088-94-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/1088-95-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/1088-99-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1088-78-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1088-79-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1088-80-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1088-81-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1088-92-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1088-93-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1088-94-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1088-95-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/1088-99-0x0000000013140000-0x0000000014009000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

msinfo32.exe

pid process

1088 msinfo32.exe

pid	process
1088	msinfo32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

ORDEN_DE_PEDIDO.exe

description	pid	process	target process
PID 1748 wrote to memory of 1088	1748	ORDEN_DE_PEDIDO.exe	msinfo32.exe
PID 1748 wrote to memory of 1088	1748	ORDEN_DE_PEDIDO.exe	msinfo32.exe
PID 1748 wrote to memory of 1088	1748	ORDEN_DE_PEDIDO.exe	msinfo32.exe
PID 1748 wrote to memory of 1088	1748	ORDEN_DE_PEDIDO.exe	msinfo32.exe
PID 1748 wrote to memory of 1844	1748	ORDEN_DE_PEDIDO.exe	ORDEN_DE_PEDIDO.exe
PID 1748 wrote to memory of 1844	1748	ORDEN_DE_PEDIDO.exe	ORDEN_DE_PEDIDO.exe
PID 1748 wrote to memory of 1844	1748	ORDEN_DE_PEDIDO.exe	ORDEN_DE_PEDIDO.exe
PID 1748 wrote to memory of 1844	1748	ORDEN_DE_PEDIDO.exe	ORDEN_DE_PEDIDO.exe
PID 1748 wrote to memory of 1088	1748	ORDEN_DE_PEDIDO.exe	msinfo32.exe
PID 1748 wrote to memory of 1088	1748	ORDEN_DE_PEDIDO.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\ORDEN_DE_PEDIDO.exe
"C:\Users\Admin\AppData\Local\Temp\ORDEN_DE_PEDIDO.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\windows\syswow64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1088

C:\Users\Admin\AppData\Local\Temp\ORDEN_DE_PEDIDO.exe
C:\Users\Admin\AppData\Local\Temp\ORDEN_DE_PEDIDO.exe dkddkdkkdkdd ddd
2⤵
PID:1844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-78-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1088-99-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1088-95-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1088-94-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1088-93-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1088-92-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1088-81-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1088-80-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1088-79-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1088-76-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1088-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1748-72-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/1748-71-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/1748-73-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/1748-54-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1748-82-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/1748-104-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/1748-55-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/1748-56-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1748-58-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/1748-59-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/1844-75-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1844-90-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/1844-88-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/1844-86-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/1844-84-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1844-83-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads