bandook | 10fc04298c934e896a333c2c13386291d5dd33304bf5f0af90636f86c28d460b

General

Target

10fc04298c934e896a333c2c13386291d5dd33304bf5f0af90636f86c28d460b.dll
Size

1.6MB
MD5

64d515247b8388fdacf4e0450a3a9c6f
SHA1

8eeadf672a3523442f224484a11f9f49cbcc6de7
SHA256

10fc04298c934e896a333c2c13386291d5dd33304bf5f0af90636f86c28d460b
SHA512

b644ccc09c96fd02839668561d992fd8f3a804d95d5cafc904e2293362e9ec1a4718cb89ddcb54d99dd0eae704c80d27e7f1d8b3882c0c308168ffe8d3830185
SSDEEP

24576:e/bH/oLrO40yatxnq0J9Ctc6TLrZiHA/P8TY+ltvK9lRRlIvn47UK:eDn4S9CCqqY+ltvKh3847UK

Score

10^/10

bandook rat trojan upx

Malware Config

Extracted

Family

bandook

C2

kaliex.net

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/692-68-0x0000000013140000-0x0000000013B96000-memory.dmp	family_bandook

Executes dropped EXE 2 IoCs

Processes:

2656.exe2656.exe

pid process

2024 2656.exe
692 2656.exe

pid	process
2024	2656.exe
692	2656.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/692-62-0x0000000013140000-0x0000000013B96000-memory.dmp	upx
behavioral1/memory/692-67-0x0000000013140000-0x0000000013B96000-memory.dmp	upx
behavioral1/memory/692-68-0x0000000013140000-0x0000000013B96000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1396 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

2656.exe

description pid process target process

PID 2024 set thread context of 692 2024 2656.exe 2656.exe

pid	process
1396	rundll32.exe

description	pid	process	target process
PID 2024 set thread context of 692	2024	2656.exe	2656.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

rundll32.exerundll32.exe2656.exe

description	pid	process	target process
PID 1300 wrote to memory of 1396	1300	rundll32.exe	rundll32.exe
PID 1300 wrote to memory of 1396	1300	rundll32.exe	rundll32.exe
PID 1300 wrote to memory of 1396	1300	rundll32.exe	rundll32.exe
PID 1300 wrote to memory of 1396	1300	rundll32.exe	rundll32.exe
PID 1300 wrote to memory of 1396	1300	rundll32.exe	rundll32.exe
PID 1300 wrote to memory of 1396	1300	rundll32.exe	rundll32.exe
PID 1300 wrote to memory of 1396	1300	rundll32.exe	rundll32.exe
PID 1396 wrote to memory of 2024	1396	rundll32.exe	2656.exe
PID 1396 wrote to memory of 2024	1396	rundll32.exe	2656.exe
PID 1396 wrote to memory of 2024	1396	rundll32.exe	2656.exe
PID 1396 wrote to memory of 2024	1396	rundll32.exe	2656.exe
PID 2024 wrote to memory of 692	2024	2656.exe	2656.exe
PID 2024 wrote to memory of 692	2024	2656.exe	2656.exe
PID 2024 wrote to memory of 692	2024	2656.exe	2656.exe
PID 2024 wrote to memory of 692	2024	2656.exe	2656.exe
PID 2024 wrote to memory of 692	2024	2656.exe	2656.exe
PID 2024 wrote to memory of 692	2024	2656.exe	2656.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10fc04298c934e896a333c2c13386291d5dd33304bf5f0af90636f86c28d460b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10fc04298c934e896a333c2c13386291d5dd33304bf5f0af90636f86c28d460b.dll,#1
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Roaming\2656.exe
C:\Users\Admin\AppData\Roaming\2656.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Roaming\2656.exe
C:\Users\Admin\AppData\Roaming\2656.exe
4⤵
- Executes dropped EXE
PID:692

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2656.exe
Filesize
102KB

MD5
535baf9334cc9e37519275df538886df

SHA1
08b0b15c1b49b9782832706d3d2c0fc3e8689ae8

SHA256
7705d371b85c8248a593e307d53525b456d9788a9c4377d457e9bceb021d9e45

SHA512
ae5656dce65ef11804b86f8c95d0b36a6d088100c1c2bc98a0c523f05f39f3c16e7e3ae8f7559802164855f708a485aff5b111c88d12379e7ea745e3d5a11b06

Download Submit
C:\Users\Admin\AppData\Roaming\2656.exe
Filesize
102KB

MD5
535baf9334cc9e37519275df538886df

SHA1
08b0b15c1b49b9782832706d3d2c0fc3e8689ae8

SHA256
7705d371b85c8248a593e307d53525b456d9788a9c4377d457e9bceb021d9e45

SHA512
ae5656dce65ef11804b86f8c95d0b36a6d088100c1c2bc98a0c523f05f39f3c16e7e3ae8f7559802164855f708a485aff5b111c88d12379e7ea745e3d5a11b06

Download Submit
\Users\Admin\AppData\Roaming\2656.exe
Filesize
102KB

MD5
535baf9334cc9e37519275df538886df

SHA1
08b0b15c1b49b9782832706d3d2c0fc3e8689ae8

SHA256
7705d371b85c8248a593e307d53525b456d9788a9c4377d457e9bceb021d9e45

SHA512
ae5656dce65ef11804b86f8c95d0b36a6d088100c1c2bc98a0c523f05f39f3c16e7e3ae8f7559802164855f708a485aff5b111c88d12379e7ea745e3d5a11b06

Download Submit
memory/692-60-0x0000000013140000-0x0000000013B96000-memory.dmp

Filesize
10.3MB

Download
memory/692-62-0x0000000013140000-0x0000000013B96000-memory.dmp

Filesize
10.3MB

Download
memory/692-63-0x0000000013B94D80-mapping.dmp

Download
memory/692-67-0x0000000013140000-0x0000000013B96000-memory.dmp

Filesize
10.3MB

Download
memory/692-68-0x0000000013140000-0x0000000013B96000-memory.dmp

Filesize
10.3MB

Download
memory/1396-54-0x0000000000000000-mapping.dmp

Download
memory/1396-55-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1396-56-0x0000000000800000-0x00000000009BC000-memory.dmp

Filesize
1.7MB

Download
memory/2024-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads