bandook | f4bd7128b8c371149045062f195fc732b74893fb67a7238457e4b4b599c33329

General

Target

PRINTDOC-26042023.exe
Size

4.1MB
MD5

51dc4f8ee85bf56c04daf973753d3d69
SHA1

d53dc03dfec66f48753c76c9065bc4f60556feac
SHA256

f4bd7128b8c371149045062f195fc732b74893fb67a7238457e4b4b599c33329
SHA512

e9a82f1559afcf9d7931cb32b0d03e2cffef3fdd074ee8e4f783fa23752854c5bb69ca853a91a9f2d99bdecd2221abe9d8cd059c7d99491866c7ca26300687a0
SSDEEP

49152:ibVNUatVC8ne36/1o764I2TiFD0ca4E1HFUgim9sTUqUynZsX259LhZ4p:iW

Score

10^/10

bandook rat trojan upx

Malware Config

Extracted

Family

bandook

C2

gombos.ru

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1704-157-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral2/memory/1704-158-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral2/memory/1704-159-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral2/memory/1704-160-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral2/memory/1704-161-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral2/memory/1704-163-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral2/memory/1704-165-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral2/memory/1704-169-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1704-155-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral2/memory/1704-156-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral2/memory/1704-157-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral2/memory/1704-158-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral2/memory/1704-159-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral2/memory/1704-160-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral2/memory/1704-161-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral2/memory/1704-163-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral2/memory/1704-165-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral2/memory/1704-169-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msinfo32.exe

pid process

1704 msinfo32.exe
1704 msinfo32.exe

pid	process
1704	msinfo32.exe
1704	msinfo32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

PRINTDOC-26042023.exe

description	pid	process	target process
PID 1684 wrote to memory of 1704	1684	PRINTDOC-26042023.exe	msinfo32.exe
PID 1684 wrote to memory of 1704	1684	PRINTDOC-26042023.exe	msinfo32.exe
PID 1684 wrote to memory of 1704	1684	PRINTDOC-26042023.exe	msinfo32.exe
PID 1684 wrote to memory of 4524	1684	PRINTDOC-26042023.exe	PRINTDOC-26042023.exe
PID 1684 wrote to memory of 4524	1684	PRINTDOC-26042023.exe	PRINTDOC-26042023.exe
PID 1684 wrote to memory of 4524	1684	PRINTDOC-26042023.exe	PRINTDOC-26042023.exe
PID 1684 wrote to memory of 1704	1684	PRINTDOC-26042023.exe	msinfo32.exe
PID 1684 wrote to memory of 1704	1684	PRINTDOC-26042023.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\PRINTDOC-26042023.exe
"C:\Users\Admin\AppData\Local\Temp\PRINTDOC-26042023.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\windows\SysWOW64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1704

C:\Users\Admin\AppData\Local\Temp\PRINTDOC-26042023.exe
C:\Users\Admin\AppData\Local\Temp\PRINTDOC-26042023.exe ooooooooooooooo
2⤵
PID:4524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-133-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1684-134-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1684-135-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1684-136-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1684-137-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1684-150-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1684-151-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1684-152-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1684-153-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1684-180-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1684-166-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1704-157-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1704-165-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1704-158-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1704-159-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1704-160-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1704-161-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1704-163-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1704-156-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1704-155-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1704-169-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/4524-168-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/4524-167-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/4524-171-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/4524-173-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/4524-154-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads