bandook | a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934

General

Target

a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe
Size

1.5MB
MD5

4c8a864510cb59db7f3c0b3bf2fd7fa1
SHA1

42e05975cd4450852970958ba675ac42032eccae
SHA256

a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934
SHA512

191e1f81a271a44cc992ea474fc425c2cd7aa6c8a12b189b77a98ac7747d8dcbffa8876a5ca31e61bbf779a5d0ff9f080e0dd52af25aff961391932e48f3e45f
SSDEEP

24576:Yqtusu+tVxHPidqUAIM3CNQgII6SZlCDHh3R5OdBAXO9kE:YZwd4MbyZlUBB58Ae9

Score

10^/10

bandook persistence rat trojan

Malware Config

Extracted

Family

bandook

C2

ezeigbo.ddns.net

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3800-133-0x0000000013140000-0x0000000013B8F000-memory.dmp	family_bandook
behavioral2/memory/3800-135-0x0000000013140000-0x0000000013B8F000-memory.dmp	family_bandook
behavioral2/memory/3800-136-0x0000000013140000-0x0000000013B8F000-memory.dmp	family_bandook
behavioral2/memory/3800-137-0x0000000013140000-0x0000000013B8F000-memory.dmp	family_bandook

Executes dropped EXE 1 IoCs

Processes:

svtm.exe

pid process

2212 svtm.exe

pid	process
2212	svtm.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svtm = "C:\\Users\\Admin\\AppData\\Local\\svtm\\svtm.exe"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svtm = "C:\\Users\\Admin\\AppData\\Local\\svtm\\svtm.exe"	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe

description	pid	process	target process
PID 2512 set thread context of 3800	2512	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exea7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exeiexplore.exe

description	pid	process	target process
PID 2512 wrote to memory of 3800	2512	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe
PID 2512 wrote to memory of 3800	2512	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe
PID 2512 wrote to memory of 3800	2512	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe
PID 2512 wrote to memory of 3800	2512	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe
PID 2512 wrote to memory of 3800	2512	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe
PID 3800 wrote to memory of 4676	3800	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	iexplore.exe
PID 3800 wrote to memory of 4676	3800	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	iexplore.exe
PID 3800 wrote to memory of 4676	3800	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	iexplore.exe
PID 3800 wrote to memory of 4676	3800	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	iexplore.exe
PID 3800 wrote to memory of 1656	3800	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	iexplore.exe
PID 3800 wrote to memory of 1656	3800	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	iexplore.exe
PID 3800 wrote to memory of 1656	3800	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	iexplore.exe
PID 3800 wrote to memory of 1656	3800	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	iexplore.exe
PID 3800 wrote to memory of 2448	3800	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	iexplore.exe
PID 3800 wrote to memory of 2448	3800	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	iexplore.exe
PID 3800 wrote to memory of 2448	3800	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	iexplore.exe
PID 3800 wrote to memory of 2448	3800	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	iexplore.exe
PID 3800 wrote to memory of 3128	3800	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	iexplore.exe
PID 3800 wrote to memory of 3128	3800	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	iexplore.exe
PID 3800 wrote to memory of 3128	3800	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	iexplore.exe
PID 3800 wrote to memory of 3128	3800	a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe	iexplore.exe
PID 3128 wrote to memory of 2212	3128	iexplore.exe	svtm.exe
PID 3128 wrote to memory of 2212	3128	iexplore.exe	svtm.exe
PID 3128 wrote to memory of 2212	3128	iexplore.exe	svtm.exe

C:\Users\Admin\AppData\Local\Temp\a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe
"C:\Users\Admin\AppData\Local\Temp\a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Local\Temp\a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe
"C:\Users\Admin\AppData\Local\Temp\a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3800

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
PID:4676

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Adds Run key to start application
PID:1656

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
PID:2448

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\svtm\svtm.exe
"C:\Users\Admin\AppData\Local\svtm\svtm.exe"
4⤵
- Executes dropped EXE
PID:2212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\svtm\svtm.exe
Filesize
1.5MB

MD5
4c8a864510cb59db7f3c0b3bf2fd7fa1

SHA1
42e05975cd4450852970958ba675ac42032eccae

SHA256
a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934

SHA512
191e1f81a271a44cc992ea474fc425c2cd7aa6c8a12b189b77a98ac7747d8dcbffa8876a5ca31e61bbf779a5d0ff9f080e0dd52af25aff961391932e48f3e45f

Download Submit
C:\Users\Admin\AppData\Local\svtm\svtm.exe
Filesize
1.5MB

MD5
4c8a864510cb59db7f3c0b3bf2fd7fa1

SHA1
42e05975cd4450852970958ba675ac42032eccae

SHA256
a7320e7ada292831538aaee3559dc0139b3222208dfe9271e74d080125b5c934

SHA512
191e1f81a271a44cc992ea474fc425c2cd7aa6c8a12b189b77a98ac7747d8dcbffa8876a5ca31e61bbf779a5d0ff9f080e0dd52af25aff961391932e48f3e45f

Download Submit
memory/2212-139-0x0000000000000000-mapping.dmp

Download
memory/3800-132-0x0000000000000000-mapping.dmp

Download
memory/3800-133-0x0000000013140000-0x0000000013B8F000-memory.dmp

Filesize
10.3MB

Download
memory/3800-135-0x0000000013140000-0x0000000013B8F000-memory.dmp

Filesize
10.3MB

Download
memory/3800-136-0x0000000013140000-0x0000000013B8F000-memory.dmp

Filesize
10.3MB

Download
memory/3800-137-0x0000000013140000-0x0000000013B8F000-memory.dmp

Filesize
10.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads