General

  • Size

    977KB

  • Sample

    220624-raj8xsfeb2

  • MD5

    f000ca9522aafa0c54b863528228a43b

  • SHA1

    c636e88b9e8079ba086f5cdb132fa39e747d0f23

  • SHA256

    4f1923485e8cdd052467d335a6384f93cd1d50b5d927aea471e56290be29ffa3

  • SHA512

    ccbb478d676a3c6f1355ab30933196c5bf41b64b613e8efe661546c238700ce2aec340390af9069c303a43bc7c4f41400c418920041cf4967c6e02b272ef372d

Malware Config

Extracted

Family

bandook

C2

iamgood.blogdns.net

Targets

    • Target

      4f1923485e8cdd052467d335a6384f93cd1d50b5d927aea471e56290be29ffa3.exe

    • Size

      977KB

    • MD5

      f000ca9522aafa0c54b863528228a43b

    • SHA1

      c636e88b9e8079ba086f5cdb132fa39e747d0f23

    • SHA256

      4f1923485e8cdd052467d335a6384f93cd1d50b5d927aea471e56290be29ffa3

    • SHA512

      ccbb478d676a3c6f1355ab30933196c5bf41b64b613e8efe661546c238700ce2aec340390af9069c303a43bc7c4f41400c418920041cf4967c6e02b272ef372d

    • Bandook RAT

      Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.

    • Bandook payload

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation