bandook | e5e4272f9a129cfdd3f7ec1a0c0adad1791b6e6c9e16e780a4d0e15e907b0a50 | Triage

Submit
Reports

Overview

overview

Static

static

e5e4272f9a...50.exe

windows7-x64

e5e4272f9a...50.exe

windows10-2004-x64

Sharing

General

Target

e5e4272f9a129cfdd3f7ec1a0c0adad1791b6e6c9e16e780a4d0e15e907b0a50
Size

95KB
Sample

221029-rxstksbfgr
MD5

c1ff10dc99cf07334206127b92f13786
SHA1

fc64ce7c1fd8dd6bb03d047a57bc15a9d649eaae
SHA256

e5e4272f9a129cfdd3f7ec1a0c0adad1791b6e6c9e16e780a4d0e15e907b0a50
SHA512

3a43647e8113d51943e8d7194d7924467f052adb8b4a1f395ccf3ca95557cb9a8b28e978a328b950ba23d212157f58eab2ce800adcce5e97618514bd539aced9
SSDEEP

1536:fSd5KYWfdbEIUx2eH4Ondcv0/h1UfZRorH5Tjbnk1ZntKZm/bJURNbw+b:qd5KYWfdbEdxTHnUWh1UfZRor5P+FMoa

Score

10^/10

bandook persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

e5e4272f9a129cfdd3f7ec1a0c0adad1791b6e6c9e16e780a4d0e15e907b0a50.exe

Resource

win7-20220812-en

bandook persistence rat trojan upx

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

e5e4272f9a129cfdd3f7ec1a0c0adad1791b6e6c9e16e780a4d0e15e907b0a50.exe

Resource

win10v2004-20220901-en

bandook persistence rat trojan upx

windows10-2004-x64

6 signatures

150 seconds

Malware Config

Extracted

Family

bandook

C2

kaliex.net

Targets

- Target
  
  e5e4272f9a129cfdd3f7ec1a0c0adad1791b6e6c9e16e780a4d0e15e907b0a50
- Size
  
  95KB
- MD5
  
  c1ff10dc99cf07334206127b92f13786
- SHA1
  
  fc64ce7c1fd8dd6bb03d047a57bc15a9d649eaae
- SHA256
  
  e5e4272f9a129cfdd3f7ec1a0c0adad1791b6e6c9e16e780a4d0e15e907b0a50
- SHA512
  
  3a43647e8113d51943e8d7194d7924467f052adb8b4a1f395ccf3ca95557cb9a8b28e978a328b950ba23d212157f58eab2ce800adcce5e97618514bd539aced9
- SSDEEP
  
  1536:fSd5KYWfdbEIUx2eH4Ondcv0/h1UfZRorH5Tjbnk1ZntKZm/bJURNbw+b:qd5KYWfdbEdxTHnUWh1UfZRor5P+FMoa
Score

10^/10

bandook persistence rat trojan upx
- Bandook RAT
  Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
  rat trojan bandook
- Bandook payload
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bandookpersistencerattrojanupx

behavioral2

bandookpersistencerattrojanupx

© 2018-2025

Terms | Privacy