bandook | 10fc04298c934e896a333c2c13386291d5dd33304bf5f0af90636f86c28d460b

General

Target

10fc04298c934e896a333c2c13386291d5dd33304bf5f0af90636f86c28d460b.dll
Size

1.6MB
MD5

64d515247b8388fdacf4e0450a3a9c6f
SHA1

8eeadf672a3523442f224484a11f9f49cbcc6de7
SHA256

10fc04298c934e896a333c2c13386291d5dd33304bf5f0af90636f86c28d460b
SHA512

b644ccc09c96fd02839668561d992fd8f3a804d95d5cafc904e2293362e9ec1a4718cb89ddcb54d99dd0eae704c80d27e7f1d8b3882c0c308168ffe8d3830185
SSDEEP

24576:e/bH/oLrO40yatxnq0J9Ctc6TLrZiHA/P8TY+ltvK9lRRlIvn47UK:eDn4S9CCqqY+ltvKh3847UK

Score

10^/10

bandook persistence rat trojan upx

Malware Config

Extracted

Family

bandook

C2

kaliex.net

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 3 IoCs

resource	yara_rule
behavioral2/memory/1772-142-0x0000000013140000-0x0000000013B96000-memory.dmp	family_bandook
behavioral2/memory/1772-143-0x0000000013140000-0x0000000013B96000-memory.dmp	family_bandook
behavioral2/memory/1772-144-0x0000000013140000-0x0000000013B96000-memory.dmp	family_bandook

Executes dropped EXE 2 IoCs

pid	Process
3240	91635.exe
1772	91635.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1772-138-0x0000000013140000-0x0000000013B96000-memory.dmp	upx
behavioral2/memory/1772-141-0x0000000013140000-0x0000000013B96000-memory.dmp	upx
behavioral2/memory/1772-142-0x0000000013140000-0x0000000013B96000-memory.dmp	upx
behavioral2/memory/1772-143-0x0000000013140000-0x0000000013B96000-memory.dmp	upx
behavioral2/memory/1772-144-0x0000000013140000-0x0000000013B96000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MMS = "C:\\Users\\Admin\\AppData\\Roaming\\MMS\\mms.exe"	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3240 set thread context of 1772	3240	91635.exe	89

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2260	2544	rundll32.exe	81
PID 2544 wrote to memory of 2260	2544	rundll32.exe	81
PID 2544 wrote to memory of 2260	2544	rundll32.exe	81
PID 2260 wrote to memory of 3240	2260	rundll32.exe	87
PID 2260 wrote to memory of 3240	2260	rundll32.exe	87
PID 2260 wrote to memory of 3240	2260	rundll32.exe	87
PID 3240 wrote to memory of 1772	3240	91635.exe	89
PID 3240 wrote to memory of 1772	3240	91635.exe	89
PID 3240 wrote to memory of 1772	3240	91635.exe	89
PID 3240 wrote to memory of 1772	3240	91635.exe	89
PID 3240 wrote to memory of 1772	3240	91635.exe	89
PID 1772 wrote to memory of 3964	1772	91635.exe	92
PID 1772 wrote to memory of 3964	1772	91635.exe	92
PID 1772 wrote to memory of 3964	1772	91635.exe	92
PID 1772 wrote to memory of 3964	1772	91635.exe	92
PID 1772 wrote to memory of 1292	1772	91635.exe	98
PID 1772 wrote to memory of 1292	1772	91635.exe	98
PID 1772 wrote to memory of 1292	1772	91635.exe	98
PID 1772 wrote to memory of 1292	1772	91635.exe	98
PID 1772 wrote to memory of 2224	1772	91635.exe	101
PID 1772 wrote to memory of 2224	1772	91635.exe	101
PID 1772 wrote to memory of 2224	1772	91635.exe	101
PID 1772 wrote to memory of 2224	1772	91635.exe	101
PID 1772 wrote to memory of 2036	1772	91635.exe	102
PID 1772 wrote to memory of 2036	1772	91635.exe	102
PID 1772 wrote to memory of 2036	1772	91635.exe	102
PID 1772 wrote to memory of 2036	1772	91635.exe	102

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10fc04298c934e896a333c2c13386291d5dd33304bf5f0af90636f86c28d460b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\10fc04298c934e896a333c2c13386291d5dd33304bf5f0af90636f86c28d460b.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Roaming\91635.exe
    C:\Users\Admin\AppData\Roaming\91635.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Users\Admin\AppData\Roaming\91635.exe
      C:\Users\Admin\AppData\Roaming\91635.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1772
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3964
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        Adds Run key to start application
        
        PID:1292
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2224
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\91635.exe

Filesize
102KB

MD5
535baf9334cc9e37519275df538886df

SHA1
08b0b15c1b49b9782832706d3d2c0fc3e8689ae8

SHA256
7705d371b85c8248a593e307d53525b456d9788a9c4377d457e9bceb021d9e45

SHA512
ae5656dce65ef11804b86f8c95d0b36a6d088100c1c2bc98a0c523f05f39f3c16e7e3ae8f7559802164855f708a485aff5b111c88d12379e7ea745e3d5a11b06

Download Submit
C:\Users\Admin\AppData\Roaming\91635.exe

Filesize
102KB

MD5
535baf9334cc9e37519275df538886df

SHA1
08b0b15c1b49b9782832706d3d2c0fc3e8689ae8

SHA256
7705d371b85c8248a593e307d53525b456d9788a9c4377d457e9bceb021d9e45

SHA512
ae5656dce65ef11804b86f8c95d0b36a6d088100c1c2bc98a0c523f05f39f3c16e7e3ae8f7559802164855f708a485aff5b111c88d12379e7ea745e3d5a11b06

Download Submit
C:\Users\Admin\AppData\Roaming\91635.exe

Filesize
102KB

MD5
535baf9334cc9e37519275df538886df

SHA1
08b0b15c1b49b9782832706d3d2c0fc3e8689ae8

SHA256
7705d371b85c8248a593e307d53525b456d9788a9c4377d457e9bceb021d9e45

SHA512
ae5656dce65ef11804b86f8c95d0b36a6d088100c1c2bc98a0c523f05f39f3c16e7e3ae8f7559802164855f708a485aff5b111c88d12379e7ea745e3d5a11b06

Download Submit
memory/1772-138-0x0000000013140000-0x0000000013B96000-memory.dmp

Filesize
10.3MB

Download
memory/1772-141-0x0000000013140000-0x0000000013B96000-memory.dmp

Filesize
10.3MB

Download
memory/1772-142-0x0000000013140000-0x0000000013B96000-memory.dmp

Filesize
10.3MB

Download
memory/1772-143-0x0000000013140000-0x0000000013B96000-memory.dmp

Filesize
10.3MB

Download
memory/1772-144-0x0000000013140000-0x0000000013B96000-memory.dmp

Filesize
10.3MB

Download
memory/2260-133-0x0000000002270000-0x000000000242C000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing