bandook | f4bd7128b8c371149045062f195fc732b74893fb67a7238457e4b4b599c33329

General

Target

PRINTDOC-26042023.exe
Size

4.1MB
MD5

51dc4f8ee85bf56c04daf973753d3d69
SHA1

d53dc03dfec66f48753c76c9065bc4f60556feac
SHA256

f4bd7128b8c371149045062f195fc732b74893fb67a7238457e4b4b599c33329
SHA512

e9a82f1559afcf9d7931cb32b0d03e2cffef3fdd074ee8e4f783fa23752854c5bb69ca853a91a9f2d99bdecd2221abe9d8cd059c7d99491866c7ca26300687a0
SSDEEP

49152:ibVNUatVC8ne36/1o764I2TiFD0ca4E1HFUgim9sTUqUynZsX259LhZ4p:iW

Score

10^/10

bandook rat trojan upx

Malware Config

Extracted

Family

bandook

C2

gombos.ru

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 8 IoCs

resource	yara_rule
behavioral1/memory/1864-81-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral1/memory/1864-82-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral1/memory/1864-88-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral1/memory/1864-91-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral1/memory/1864-92-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral1/memory/1864-93-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral1/memory/1864-95-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral1/memory/1864-97-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1864-79-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral1/memory/1864-80-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral1/memory/1864-81-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral1/memory/1864-82-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral1/memory/1864-88-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral1/memory/1864-91-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral1/memory/1864-92-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral1/memory/1864-93-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral1/memory/1864-95-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral1/memory/1864-97-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1864	msinfo32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 1864	836	PRINTDOC-26042023.exe	27
PID 836 wrote to memory of 1864	836	PRINTDOC-26042023.exe	27
PID 836 wrote to memory of 1864	836	PRINTDOC-26042023.exe	27
PID 836 wrote to memory of 1864	836	PRINTDOC-26042023.exe	27
PID 836 wrote to memory of 612	836	PRINTDOC-26042023.exe	28
PID 836 wrote to memory of 612	836	PRINTDOC-26042023.exe	28
PID 836 wrote to memory of 612	836	PRINTDOC-26042023.exe	28
PID 836 wrote to memory of 612	836	PRINTDOC-26042023.exe	28
PID 836 wrote to memory of 1864	836	PRINTDOC-26042023.exe	27
PID 836 wrote to memory of 1864	836	PRINTDOC-26042023.exe	27

C:\Users\Admin\AppData\Local\Temp\PRINTDOC-26042023.exe
"C:\Users\Admin\AppData\Local\Temp\PRINTDOC-26042023.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:836
- C:\windows\syswow64\msinfo32.exe
  C:\windows\syswow64\msinfo32.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1864
- C:\Users\Admin\AppData\Local\Temp\PRINTDOC-26042023.exe
  C:\Users\Admin\AppData\Local\Temp\PRINTDOC-26042023.exe ooooooooooooooo
  2⤵
  PID:612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-76-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/612-84-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/612-86-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/612-90-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/612-99-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/836-73-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/836-83-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/836-74-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/836-72-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/836-106-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/836-59-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/836-58-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/836-54-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/836-56-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/836-55-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1864-80-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1864-82-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1864-81-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1864-88-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1864-79-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1864-91-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1864-92-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1864-93-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1864-95-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1864-97-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1864-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1864-77-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download

Analysis

Sharing