bandook | 10fc04298c934e896a333c2c13386291d5dd33304bf5f0af90636f86c28d460b

General

Target

10fc04298c934e896a333c2c13386291d5dd33304bf5f0af90636f86c28d460b.dll
Size

1.6MB
MD5

64d515247b8388fdacf4e0450a3a9c6f
SHA1

8eeadf672a3523442f224484a11f9f49cbcc6de7
SHA256

10fc04298c934e896a333c2c13386291d5dd33304bf5f0af90636f86c28d460b
SHA512

b644ccc09c96fd02839668561d992fd8f3a804d95d5cafc904e2293362e9ec1a4718cb89ddcb54d99dd0eae704c80d27e7f1d8b3882c0c308168ffe8d3830185
SSDEEP

24576:e/bH/oLrO40yatxnq0J9Ctc6TLrZiHA/P8TY+ltvK9lRRlIvn47UK:eDn4S9CCqqY+ltvKh3847UK

Score

10^/10

bandook persistence rat trojan upx

Malware Config

Extracted

Family

bandook

C2

kaliex.net

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1772-142-0x0000000013140000-0x0000000013B96000-memory.dmp	family_bandook
behavioral2/memory/1772-143-0x0000000013140000-0x0000000013B96000-memory.dmp	family_bandook
behavioral2/memory/1772-144-0x0000000013140000-0x0000000013B96000-memory.dmp	family_bandook

Executes dropped EXE 2 IoCs

Processes:

91635.exe91635.exe

pid process

3240 91635.exe
1772 91635.exe

pid	process
3240	91635.exe
1772	91635.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1772-138-0x0000000013140000-0x0000000013B96000-memory.dmp	upx
behavioral2/memory/1772-141-0x0000000013140000-0x0000000013B96000-memory.dmp	upx
behavioral2/memory/1772-142-0x0000000013140000-0x0000000013B96000-memory.dmp	upx
behavioral2/memory/1772-143-0x0000000013140000-0x0000000013B96000-memory.dmp	upx
behavioral2/memory/1772-144-0x0000000013140000-0x0000000013B96000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MMS = "C:\\Users\\Admin\\AppData\\Roaming\\MMS\\mms.exe"	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

91635.exe

description pid process target process

PID 3240 set thread context of 1772 3240 91635.exe 91635.exe

description	pid	process	target process
PID 3240 set thread context of 1772	3240	91635.exe	91635.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

rundll32.exerundll32.exe91635.exe91635.exe

description	pid	process	target process
PID 2544 wrote to memory of 2260	2544	rundll32.exe	rundll32.exe
PID 2544 wrote to memory of 2260	2544	rundll32.exe	rundll32.exe
PID 2544 wrote to memory of 2260	2544	rundll32.exe	rundll32.exe
PID 2260 wrote to memory of 3240	2260	rundll32.exe	91635.exe
PID 2260 wrote to memory of 3240	2260	rundll32.exe	91635.exe
PID 2260 wrote to memory of 3240	2260	rundll32.exe	91635.exe
PID 3240 wrote to memory of 1772	3240	91635.exe	91635.exe
PID 3240 wrote to memory of 1772	3240	91635.exe	91635.exe
PID 3240 wrote to memory of 1772	3240	91635.exe	91635.exe
PID 3240 wrote to memory of 1772	3240	91635.exe	91635.exe
PID 3240 wrote to memory of 1772	3240	91635.exe	91635.exe
PID 1772 wrote to memory of 3964	1772	91635.exe	iexplore.exe
PID 1772 wrote to memory of 3964	1772	91635.exe	iexplore.exe
PID 1772 wrote to memory of 3964	1772	91635.exe	iexplore.exe
PID 1772 wrote to memory of 3964	1772	91635.exe	iexplore.exe
PID 1772 wrote to memory of 1292	1772	91635.exe	iexplore.exe
PID 1772 wrote to memory of 1292	1772	91635.exe	iexplore.exe
PID 1772 wrote to memory of 1292	1772	91635.exe	iexplore.exe
PID 1772 wrote to memory of 1292	1772	91635.exe	iexplore.exe
PID 1772 wrote to memory of 2224	1772	91635.exe	iexplore.exe
PID 1772 wrote to memory of 2224	1772	91635.exe	iexplore.exe
PID 1772 wrote to memory of 2224	1772	91635.exe	iexplore.exe
PID 1772 wrote to memory of 2224	1772	91635.exe	iexplore.exe
PID 1772 wrote to memory of 2036	1772	91635.exe	iexplore.exe
PID 1772 wrote to memory of 2036	1772	91635.exe	iexplore.exe
PID 1772 wrote to memory of 2036	1772	91635.exe	iexplore.exe
PID 1772 wrote to memory of 2036	1772	91635.exe	iexplore.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10fc04298c934e896a333c2c13386291d5dd33304bf5f0af90636f86c28d460b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10fc04298c934e896a333c2c13386291d5dd33304bf5f0af90636f86c28d460b.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Users\Admin\AppData\Roaming\91635.exe
C:\Users\Admin\AppData\Roaming\91635.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3240

C:\Users\Admin\AppData\Roaming\91635.exe
C:\Users\Admin\AppData\Roaming\91635.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
5⤵
PID:3964

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
5⤵
- Adds Run key to start application
PID:1292

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
5⤵
PID:2224

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
5⤵
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\91635.exe
Filesize
102KB

MD5
535baf9334cc9e37519275df538886df

SHA1
08b0b15c1b49b9782832706d3d2c0fc3e8689ae8

SHA256
7705d371b85c8248a593e307d53525b456d9788a9c4377d457e9bceb021d9e45

SHA512
ae5656dce65ef11804b86f8c95d0b36a6d088100c1c2bc98a0c523f05f39f3c16e7e3ae8f7559802164855f708a485aff5b111c88d12379e7ea745e3d5a11b06

Download Submit
C:\Users\Admin\AppData\Roaming\91635.exe
Filesize
102KB

MD5
535baf9334cc9e37519275df538886df

SHA1
08b0b15c1b49b9782832706d3d2c0fc3e8689ae8

SHA256
7705d371b85c8248a593e307d53525b456d9788a9c4377d457e9bceb021d9e45

SHA512
ae5656dce65ef11804b86f8c95d0b36a6d088100c1c2bc98a0c523f05f39f3c16e7e3ae8f7559802164855f708a485aff5b111c88d12379e7ea745e3d5a11b06

Download Submit
C:\Users\Admin\AppData\Roaming\91635.exe
Filesize
102KB

MD5
535baf9334cc9e37519275df538886df

SHA1
08b0b15c1b49b9782832706d3d2c0fc3e8689ae8

SHA256
7705d371b85c8248a593e307d53525b456d9788a9c4377d457e9bceb021d9e45

SHA512
ae5656dce65ef11804b86f8c95d0b36a6d088100c1c2bc98a0c523f05f39f3c16e7e3ae8f7559802164855f708a485aff5b111c88d12379e7ea745e3d5a11b06

Download Submit
memory/1772-137-0x0000000000000000-mapping.dmp

Download
memory/1772-138-0x0000000013140000-0x0000000013B96000-memory.dmp

Filesize
10.3MB

Download
memory/1772-141-0x0000000013140000-0x0000000013B96000-memory.dmp

Filesize
10.3MB

Download
memory/1772-142-0x0000000013140000-0x0000000013B96000-memory.dmp

Filesize
10.3MB

Download
memory/1772-143-0x0000000013140000-0x0000000013B96000-memory.dmp

Filesize
10.3MB

Download
memory/1772-144-0x0000000013140000-0x0000000013B96000-memory.dmp

Filesize
10.3MB

Download
memory/2260-132-0x0000000000000000-mapping.dmp

Download
memory/2260-133-0x0000000002270000-0x000000000242C000-memory.dmp

Filesize
1.7MB

Download
memory/3240-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads