bandook | 4a877cf00bbca9242c045fe0e7fb67b130f4d6d46dcc56504395e2b12ab28437

Analysis

max time kernel
291s
max time network
267s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-04-2023 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Recibo de Pago.exe
Size

1.4MB
MD5

12465080fde8aa8db77de10490fa946c
SHA1

b9578f8c1d998932fe80859f82fce4000e926d51
SHA256

4a877cf00bbca9242c045fe0e7fb67b130f4d6d46dcc56504395e2b12ab28437
SHA512

1412a35e3608a1d15a52fc46bd5d4664527df1c7db785624c159bd4fba400f8fd1c1fc87fa220daea882f9b34af889b9a0899e07adc5b9f1f1f99e4f2ba632a7
SSDEEP

24576:C1RS4xszUmeE6+NbEZlnibawoGifZr4N8vcUh5RRQTgUi:CvSIG+xrZpRqkUi

Score

10^/10

bandook rat trojan upx

Malware Config

Extracted

Family

bandook

deapproved.ru

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1864-79-0x0000000013140000-0x0000000013C7D000-memory.dmp	family_bandook
behavioral1/memory/1864-80-0x0000000013140000-0x0000000013C7D000-memory.dmp	family_bandook
behavioral1/memory/1864-86-0x0000000013140000-0x0000000013C7D000-memory.dmp	family_bandook
behavioral1/memory/1864-87-0x0000000013140000-0x0000000013C7D000-memory.dmp	family_bandook
behavioral1/memory/1864-88-0x0000000013140000-0x0000000013C7D000-memory.dmp	family_bandook
behavioral1/memory/1864-91-0x0000000013140000-0x0000000013C7D000-memory.dmp	family_bandook
behavioral1/memory/1864-93-0x0000000013140000-0x0000000013C7D000-memory.dmp	family_bandook

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1864-77-0x0000000013140000-0x0000000013C7D000-memory.dmp	upx
behavioral1/memory/1864-78-0x0000000013140000-0x0000000013C7D000-memory.dmp	upx
behavioral1/memory/1864-79-0x0000000013140000-0x0000000013C7D000-memory.dmp	upx
behavioral1/memory/1864-80-0x0000000013140000-0x0000000013C7D000-memory.dmp	upx
behavioral1/memory/1864-86-0x0000000013140000-0x0000000013C7D000-memory.dmp	upx
behavioral1/memory/1864-87-0x0000000013140000-0x0000000013C7D000-memory.dmp	upx
behavioral1/memory/1864-88-0x0000000013140000-0x0000000013C7D000-memory.dmp	upx
behavioral1/memory/1864-91-0x0000000013140000-0x0000000013C7D000-memory.dmp	upx
behavioral1/memory/1864-93-0x0000000013140000-0x0000000013C7D000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

msinfo32.exe

pid process

1864 msinfo32.exe

pid	process
1864	msinfo32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Recibo de Pago.exe

description	pid	process	target process
PID 1276 wrote to memory of 1864	1276	Recibo de Pago.exe	msinfo32.exe
PID 1276 wrote to memory of 1864	1276	Recibo de Pago.exe	msinfo32.exe
PID 1276 wrote to memory of 1864	1276	Recibo de Pago.exe	msinfo32.exe
PID 1276 wrote to memory of 1864	1276	Recibo de Pago.exe	msinfo32.exe
PID 1276 wrote to memory of 1864	1276	Recibo de Pago.exe	msinfo32.exe
PID 1276 wrote to memory of 1864	1276	Recibo de Pago.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\Recibo de Pago.exe
"C:\Users\Admin\AppData\Local\Temp\Recibo de Pago.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\windows\syswow64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1276-54-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1276-55-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1276-56-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1276-58-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1276-59-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1276-71-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1276-72-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1276-73-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1276-95-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1276-81-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1864-77-0x0000000013140000-0x0000000013C7D000-memory.dmp

Filesize
11.2MB

Download
memory/1864-78-0x0000000013140000-0x0000000013C7D000-memory.dmp

Filesize
11.2MB

Download
memory/1864-79-0x0000000013140000-0x0000000013C7D000-memory.dmp

Filesize
11.2MB

Download
memory/1864-80-0x0000000013140000-0x0000000013C7D000-memory.dmp

Filesize
11.2MB

Download
memory/1864-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1864-86-0x0000000013140000-0x0000000013C7D000-memory.dmp

Filesize
11.2MB

Download
memory/1864-87-0x0000000013140000-0x0000000013C7D000-memory.dmp

Filesize
11.2MB

Download
memory/1864-88-0x0000000013140000-0x0000000013C7D000-memory.dmp

Filesize
11.2MB

Download
memory/1864-91-0x0000000013140000-0x0000000013C7D000-memory.dmp

Filesize
11.2MB

Download
memory/1864-93-0x0000000013140000-0x0000000013C7D000-memory.dmp

Filesize
11.2MB

Download
memory/1864-75-0x0000000013140000-0x0000000013C7D000-memory.dmp

Filesize
11.2MB

Download