Malware

Win32/Bandok.NAN (file analysis)

Malware Removal

The Win32/Bandok.NAN is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Win32/Bandok.NAN virus can do?

  • Attempts to connect to a dead IP:Port (1 unique times)
  • Sample contains Overlay data
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Presents an Authenticode digital signature
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Dynamic (imported) function loading detected
  • Enumerates running processes
  • CAPE extracted potentially suspicious content
  • The binary contains an unknown PE section name indicative of packing
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Behavioural detection: Injection (inter-process)
  • Behavioural detection: Injection with CreateRemoteThread in a remote process
  • Installs itself for autorun at Windows startup
  • CAPE detected injection into a browser process, likely for Man-In-Browser (MITB) infostealing
  • Creates a copy of itself
  • Uses suspicious command line tools or Windows utilities

How to determine Win32/Bandok.NAN?



File Info:

name: 825FFBCA0F80A7F19997.mlw
path: /opt/CAPEv2/storage/binaries/f581a75a0f8f8eb200a283437bed48f30ae9d5616e94f64acfd93c12fcef987a
crc32: 53F7D62B
md5: 825ffbca0f80a7f1999712a0d6d2000c
sha1: c0a3058e7749c6b5744a13962000e71770851e93
sha256: f581a75a0f8f8eb200a283437bed48f30ae9d5616e94f64acfd93c12fcef987a
sha512: fc062ce233bb1a3db9064a849d7f508f7eaf32e985f165c910d13739237658026fd0fac27a28654aa42c02eb032b23aa8a8eb9979f747ffc97cb71f0c9cbd674
ssdeep: 12288:MTeHMfjOHKHySUExINB0Ct5XatErJByJKEQ5ibZrzrKSL:MgojDySrxIN2iK+rvyctiVXVL
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T172C46D76B6D08833C1631D38BD179E5C982A7F50FD3854863AE47F8D6F7A681342A293
sha3_384: 6c0484048ce70ce44af0a169bcd6cdbdda4a188308ee64b4f71a9c3a316b329b3a81846ed7951e70da9dea7a5605ab4c
ep_bytes: 558bec83c4f053b85c724500e8e3defa
timestamp: 2015-08-19 19:23:50


Version Info:

CompanyName: Player
FileDescription: 
FileVersion: 18.23.24.234
InternalName: 
LegalCopyright: 
LegalTrademarks: 
OriginalFilename: 
ProductName: Player
ProductVersion: 18.23.24.234
Comments: 
Translation: 0x0409 0x04e4

Win32/Bandok.NAN also known as:

LionicTrojan.Win32.Zbot.l!c
Elasticmalicious (moderate confidence)
MicroWorld-eScanTrojan.Autoruns.GenericKD.44526426
FireEyeTrojan.Autoruns.GenericKD.44526426
CAT-QuickHealBackdoor.Remteamvi.S1819981
McAfeeTrojan-FPBA!825FFBCA0F80
CylanceUnsafe
SangforTrojan.Win32.Zbot.IOC
CrowdStrikewin/malicious_confidence_100% (W)
AlibabaTrojanSpy:Win32/Bandok.a038c1f7
K7GWTrojan ( 004857c61 )
K7AntiVirusTrojan ( 004857c61 )
BitDefenderThetaGen:NN.ZelphiF.34806.IK1@aOKWqOli
SymantecML.Attribute.HighConfidence
ESET-NOD32Win32/Bandok.NAN
APEXMalicious
Paloaltogeneric.ml
ClamAVWin.Trojan.Agent-6430598-0
BitDefenderTrojan.Autoruns.GenericKD.44526426
NANO-AntivirusTrojan.Win32.Buzus.dxhhcx
TencentWin32.Trojan-spy.Zbot.Dygl
Ad-AwareTrojan.Autoruns.GenericKD.44526426
EmsisoftTrojan.Autoruns.GenericKD.44526426 (B)
ComodoMalware@#70c3ziugdkm0
DrWebTrojan.DownLoader24.62407
VIPRETrojan.Autoruns.GenericKD.44526426
McAfee-GW-EditionTrojan-FPBA!825FFBCA0F80
SophosMal/Generic-R + Troj/Agent-AYCG
JiangminTrojanSpy.Zbot.fskd
AviraHEUR/AGEN.1225412
Antiy-AVLTrojan/Generic.ASMalwS.31
GDataTrojan.Autoruns.GenericKD.44526426
CynetMalicious (score: 99)
AhnLab-V3Spyware/Win32.Zbot.C1592048
VBA32TScope.Trojan.Delf
ALYacTrojan.Buzus.gen
MAXmalware (ai score=100)
RisingBackdoor.Remteamvi!8.8A36 (CLOUD)
YandexTrojan.GenAsa!M/gQd8OHZ9A
IkarusTrojan.Win32.Bandok
FortinetW32/Injector.fam!tr
Cybereasonmalicious.a0f80a
PandaTrj/CI.A

How to remove Win32/Bandok.NAN?

Win32/Bandok.NAN removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment