bandook | 72deb006068fe144f367a21e71a6afa3b02d4fc22f9fb4fec118df97a39dc73f

Analysis

max time kernel
290s
max time network
298s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-05-2023 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orden de Compra.exe
Size

3.1MB
MD5

14590acf2f905137fed9a2c963193aa5
SHA1

2babf37152863a1b882fa525d4c8a1510f47c052
SHA256

72deb006068fe144f367a21e71a6afa3b02d4fc22f9fb4fec118df97a39dc73f
SHA512

4f9aabc238d7c5fdcd5919507a9e28e9b25903a7af12d9fbb8f429600ca3f911a19ab9f0a6577732ba0d57acf6072d3c53285e4c01d7a9cd9f3d7ee15e02afac
SSDEEP

49152:nZipCPI498xdzZBxDJYd2cElsX8Okqw2Rt1eRob1:nZw

Score

10^/10

bandook rat trojan upx

Malware Config

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/676-79-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/676-82-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/676-86-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/676-87-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/676-88-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/676-91-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral1/memory/676-92-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/676-77-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/676-78-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/676-79-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/676-82-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/676-86-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/676-87-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/676-88-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/676-91-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral1/memory/676-92-0x0000000013140000-0x0000000014009000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

msinfo32.exe

pid process

676 msinfo32.exe

pid	process
676	msinfo32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Orden de Compra.exe

description	pid	process	target process
PID 1992 wrote to memory of 676	1992	Orden de Compra.exe	msinfo32.exe
PID 1992 wrote to memory of 676	1992	Orden de Compra.exe	msinfo32.exe
PID 1992 wrote to memory of 676	1992	Orden de Compra.exe	msinfo32.exe
PID 1992 wrote to memory of 676	1992	Orden de Compra.exe	msinfo32.exe
PID 1992 wrote to memory of 676	1992	Orden de Compra.exe	msinfo32.exe
PID 1992 wrote to memory of 676	1992	Orden de Compra.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\Orden de Compra.exe
"C:\Users\Admin\AppData\Local\Temp\Orden de Compra.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\windows\syswow64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/676-86-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/676-82-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/676-77-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/676-79-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/676-78-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/676-92-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/676-91-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/676-88-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/676-75-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/676-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/676-87-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/1992-72-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1992-58-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1992-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1992-59-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1992-54-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1992-56-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1992-73-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1992-55-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1992-71-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1992-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download