bandook | aafafcec219765dbf2a4d4db4ecccd7d7b5bcc44613e80d833812dd9d074f434

General

Target

Factura de Cobro.exe
Size

7.5MB
MD5

c46c3de7dc67087e6007a1cc6d24abf1
SHA1

5e4edbe4d3206ea8dbba05f575a4a9312289591d
SHA256

aafafcec219765dbf2a4d4db4ecccd7d7b5bcc44613e80d833812dd9d074f434
SHA512

6f8d11131fb959046e57397dc76d342fe6ff8621764a84affbb4d52c63aef4dd123adc351f7c93c3d69233255c78045008339345569a1056a6b4f9a1af69ada6
SSDEEP

49152:CFQPSP5e3Ch3dKpJtxHe3AlDxZt4UUlAbisGOa3onvtkOsKmqggjrzVS+hG7mrOR:CaPfIH

Score

10^/10

bandook rat trojan upx

Malware Config

Extracted

Family

bandook

C2

185.10.68.52

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 8 IoCs

resource	yara_rule
behavioral1/memory/1096-176-0x0000000013140000-0x0000000014663000-memory.dmp	family_bandook
behavioral1/memory/1096-175-0x0000000013140000-0x0000000014663000-memory.dmp	family_bandook
behavioral1/memory/1096-177-0x0000000013140000-0x0000000014663000-memory.dmp	family_bandook
behavioral1/memory/1096-178-0x0000000013140000-0x0000000014663000-memory.dmp	family_bandook
behavioral1/memory/1096-180-0x0000000013140000-0x0000000014663000-memory.dmp	family_bandook
behavioral1/memory/1096-181-0x0000000013140000-0x0000000014663000-memory.dmp	family_bandook
behavioral1/memory/1096-183-0x0000000013140000-0x0000000014663000-memory.dmp	family_bandook
behavioral1/memory/1096-187-0x0000000013140000-0x0000000014663000-memory.dmp	family_bandook

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1096-172-0x0000000013140000-0x0000000014663000-memory.dmp	upx
behavioral1/memory/1096-174-0x0000000013140000-0x0000000014663000-memory.dmp	upx
behavioral1/memory/1096-176-0x0000000013140000-0x0000000014663000-memory.dmp	upx
behavioral1/memory/1096-175-0x0000000013140000-0x0000000014663000-memory.dmp	upx
behavioral1/memory/1096-177-0x0000000013140000-0x0000000014663000-memory.dmp	upx
behavioral1/memory/1096-178-0x0000000013140000-0x0000000014663000-memory.dmp	upx
behavioral1/memory/1096-180-0x0000000013140000-0x0000000014663000-memory.dmp	upx
behavioral1/memory/1096-181-0x0000000013140000-0x0000000014663000-memory.dmp	upx
behavioral1/memory/1096-183-0x0000000013140000-0x0000000014663000-memory.dmp	upx
behavioral1/memory/1096-187-0x0000000013140000-0x0000000014663000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1096	msinfo32.exe
1096	msinfo32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 1096	4388	Factura de Cobro.exe	100
PID 4388 wrote to memory of 1096	4388	Factura de Cobro.exe	100
PID 4388 wrote to memory of 1096	4388	Factura de Cobro.exe	100
PID 4388 wrote to memory of 2440	4388	Factura de Cobro.exe	101
PID 4388 wrote to memory of 2440	4388	Factura de Cobro.exe	101
PID 4388 wrote to memory of 2440	4388	Factura de Cobro.exe	101
PID 4388 wrote to memory of 1096	4388	Factura de Cobro.exe	100
PID 4388 wrote to memory of 1096	4388	Factura de Cobro.exe	100

C:\Users\Admin\AppData\Local\Temp\Factura de Cobro.exe
"C:\Users\Admin\AppData\Local\Temp\Factura de Cobro.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4388
- C:\windows\SysWOW64\msinfo32.exe
  C:\windows\syswow64\msinfo32.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1096
- C:\Users\Admin\AppData\Local\Temp\Factura de Cobro.exe
  "C:\Users\Admin\AppData\Local\Temp\Factura de Cobro.exe" ooooooooooooooo
  2⤵
  PID:2440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1096-183-0x0000000013140000-0x0000000014663000-memory.dmp

Filesize
21.1MB

Download
memory/1096-172-0x0000000013140000-0x0000000014663000-memory.dmp

Filesize
21.1MB

Download
memory/1096-176-0x0000000013140000-0x0000000014663000-memory.dmp

Filesize
21.1MB

Download
memory/1096-187-0x0000000013140000-0x0000000014663000-memory.dmp

Filesize
21.1MB

Download
memory/1096-175-0x0000000013140000-0x0000000014663000-memory.dmp

Filesize
21.1MB

Download
memory/1096-181-0x0000000013140000-0x0000000014663000-memory.dmp

Filesize
21.1MB

Download
memory/1096-180-0x0000000013140000-0x0000000014663000-memory.dmp

Filesize
21.1MB

Download
memory/1096-177-0x0000000013140000-0x0000000014663000-memory.dmp

Filesize
21.1MB

Download
memory/1096-178-0x0000000013140000-0x0000000014663000-memory.dmp

Filesize
21.1MB

Download
memory/1096-174-0x0000000013140000-0x0000000014663000-memory.dmp

Filesize
21.1MB

Download
memory/2440-185-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2440-171-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2440-192-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2440-190-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2440-186-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/4388-170-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/4388-169-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/4388-168-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/4388-133-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/4388-134-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/4388-173-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/4388-136-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/4388-138-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/4388-135-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/4388-199-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download

Analysis

Sharing