bandook | f9d9d00a974b259b747217d021d95c7902c8a8807539db0bbf43939be972e281 | Triage

Sharing

General

Target

1.zip
Size

6.0MB
Sample

210716-bl5g78gves
MD5

4067230cb4cbfe80659513b1c1c5458e
SHA1

d18fdd1d9bb44bda044e1d399046a53d23d58853
SHA256

f9d9d00a974b259b747217d021d95c7902c8a8807539db0bbf43939be972e281
SHA512

0430cdc7acf26b6eafd78f23c0e6a0e3b6b161bd3cd61f45625dfd409b745043a80b5299f23b727159fd972e8ca7bcdcfd08b982ddf94a9504a5b7d4d330b7d2

Score

10^/10

bandook persistence rat trojan upx

Malware Config

Targets

- Target
  
  037ff659cb188100251c228a1babe2cd3bc3aaa43e0039555e12c232a8b9f38f
- Size
  
  1.8MB
- MD5
  
  e0d2fac1d52fffd9b18fe93eb113d141
- SHA1
  
  a90c769757b66b9c387ec4bc2d9be252b2f24d1a
- SHA256
  
  037ff659cb188100251c228a1babe2cd3bc3aaa43e0039555e12c232a8b9f38f
- SHA512
  
  0a435d80f67233e11bebce3d7c03f7ed9aacab354aa57e7d045052e7db6f3970edb017733961e84063a9f9081e9d246e5bf7b858ce3a53ab4a7066f8d572d6ba
Score

10^/10

bandook persistence rat trojan upx
- Bandook Payload
- Bandook RAT
  Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
  rat trojan bandook
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  2fc92db641004976273712cdacab3f1416b6f7fcb8a6019bbb6ca539e9effefc
- Size
  
  1.8MB
- MD5
  
  ce8805d7c52c37e37f1682dc19b50a8a
- SHA1
  
  9413a9c879cb4a246a6126fc39cefbf95944cab5
- SHA256
  
  2fc92db641004976273712cdacab3f1416b6f7fcb8a6019bbb6ca539e9effefc
- SHA512
  
  432d8932ac4640c9d1de4bbe1345da8f972a90c147c5ea2e3710b0ef14ea6f36a9c0fc9175b843d202b7927a5b7d1002eb1873dec546f45b59782de203093266
Score

10^/10

bandook persistence rat trojan upx
- Bandook Payload
- Bandook RAT
  Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
  rat trojan bandook
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  58c6424d1d5365f3b596c311f77bf1635a84ecab176a829418ca2076974e91ed
- Size
  
  1.6MB
- MD5
  
  84bb509cbf65453942e7015d0aeb754b
- SHA1
  
  52c64e3dee6b18f06af87d75fcea73e4c8a062d3
- SHA256
  
  58c6424d1d5365f3b596c311f77bf1635a84ecab176a829418ca2076974e91ed
- SHA512
  
  2cfbd18fdf132c53bbefd01fba064801a6531cd60b4e72d18ff6f937b7e459f8d97fcd9820ff194b64fa56730239a142b4d1356443f477a3418ed90b59aeb916
Score

10^/10

bandook persistence rat trojan upx
- Bandook Payload
- Bandook RAT
  Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
  rat trojan bandook
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  bc089259a1da012b1331933427fdf29e62e0c66cc4ca69c2319dd45f13a95c5d
- Size
  
  1.6MB
- MD5
  
  1f223fb3a22ffb73e9156427151e5b05
- SHA1
  
  43a24433c4405101aecdbdf9e17fbafb8bb1b6f3
- SHA256
  
  bc089259a1da012b1331933427fdf29e62e0c66cc4ca69c2319dd45f13a95c5d
- SHA512
  
  e65e3f36311b3c00d418a9793bd5344052387301c7dbb3959311ca0a6daf7b5610980f0eb5800db49f1c190660dd6ddf3e6c1193e12e2b7d1b0c06e4dcf55c2d
Score

10^/10

bandook persistence rat trojan upx
- Bandook Payload
- Bandook RAT
  Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
  rat trojan bandook
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  d3e7b5be903eb9a596b9b2b78e5dd28390c6aadb8bdd4ea1ba3d896d99fa0057
- Size
  
  1.6MB
- MD5
  
  695ebe3e45a89552d7dabbc2b972ed66
- SHA1
  
  89f1e932cc37e4515433696e3963bb3163cc4927
- SHA256
  
  d3e7b5be903eb9a596b9b2b78e5dd28390c6aadb8bdd4ea1ba3d896d99fa0057
- SHA512
  
  53a6770d75ac12bb248a2de6a13ee68ae8378da232b058efc1e04c8be4307a248c516111a65088d2d0ac39632ab223d949072f7fbaa71ad3155e6bd946e46593
Score

10^/10

bandook persistence rat trojan upx
- Bandook Payload
- Bandook RAT
  Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
  rat trojan bandook
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral9 behavioral10
- Target
  
  e72ace3a76024645161ecb73c57083d38b85594df5117de94d782df9f48a10eb
- Size
  
  1.8MB
- MD5
  
  353f9db7df426b21b5af2b73d3421f1c
- SHA1
  
  5662600362a996e38c630f3deceabd88c828e3cb
- SHA256
  
  e72ace3a76024645161ecb73c57083d38b85594df5117de94d782df9f48a10eb
- SHA512
  
  10cccccd181c0615d2344ee01bc45a46ab51a5672488ee90da81d4ae6f5513d9f4b459ad4ebc5b7cef9ea038d3a85a4f80dd6b4f104f34ce65109e0d5a81d6c3
Score

10^/10

bandook persistence rat trojan upx
- Bandook Payload
- Bandook RAT
  Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
  rat trojan bandook
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral11 behavioral12

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bandookpersistencerattrojanupx

behavioral2

behavioral3

bandookpersistencerattrojanupx

behavioral4

behavioral5

bandookpersistencerattrojanupx

behavioral6

behavioral7

bandookpersistencerattrojanupx

behavioral8

bandookpersistencerattrojanupx

behavioral9

bandookpersistencerattrojanupx

behavioral10

behavioral11

bandookpersistencerattrojanupx

behavioral12

bandookpersistencerattrojanupx