bandook | f4bd7128b8c371149045062f195fc732b74893fb67a7238457e4b4b599c33329

General

Target

PRINTDOC-26042023.exe
Size

4.1MB
MD5

51dc4f8ee85bf56c04daf973753d3d69
SHA1

d53dc03dfec66f48753c76c9065bc4f60556feac
SHA256

f4bd7128b8c371149045062f195fc732b74893fb67a7238457e4b4b599c33329
SHA512

e9a82f1559afcf9d7931cb32b0d03e2cffef3fdd074ee8e4f783fa23752854c5bb69ca853a91a9f2d99bdecd2221abe9d8cd059c7d99491866c7ca26300687a0
SSDEEP

49152:ibVNUatVC8ne36/1o764I2TiFD0ca4E1HFUgim9sTUqUynZsX259LhZ4p:iW

Score

10^/10

bandook rat trojan upx

Malware Config

Extracted

Family

bandook

C2

gombos.ru

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 8 IoCs

resource	yara_rule
behavioral2/memory/1704-157-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral2/memory/1704-158-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral2/memory/1704-159-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral2/memory/1704-160-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral2/memory/1704-161-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral2/memory/1704-163-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral2/memory/1704-165-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook
behavioral2/memory/1704-169-0x0000000013140000-0x0000000013F1F000-memory.dmp	family_bandook

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1704-155-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral2/memory/1704-156-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral2/memory/1704-157-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral2/memory/1704-158-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral2/memory/1704-159-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral2/memory/1704-160-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral2/memory/1704-161-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral2/memory/1704-163-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral2/memory/1704-165-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx
behavioral2/memory/1704-169-0x0000000013140000-0x0000000013F1F000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1704	msinfo32.exe
1704	msinfo32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1704	1684	PRINTDOC-26042023.exe	92
PID 1684 wrote to memory of 1704	1684	PRINTDOC-26042023.exe	92
PID 1684 wrote to memory of 1704	1684	PRINTDOC-26042023.exe	92
PID 1684 wrote to memory of 4524	1684	PRINTDOC-26042023.exe	93
PID 1684 wrote to memory of 4524	1684	PRINTDOC-26042023.exe	93
PID 1684 wrote to memory of 4524	1684	PRINTDOC-26042023.exe	93
PID 1684 wrote to memory of 1704	1684	PRINTDOC-26042023.exe	92
PID 1684 wrote to memory of 1704	1684	PRINTDOC-26042023.exe	92

C:\Users\Admin\AppData\Local\Temp\PRINTDOC-26042023.exe
"C:\Users\Admin\AppData\Local\Temp\PRINTDOC-26042023.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\windows\SysWOW64\msinfo32.exe
  C:\windows\syswow64\msinfo32.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1704
- C:\Users\Admin\AppData\Local\Temp\PRINTDOC-26042023.exe
  C:\Users\Admin\AppData\Local\Temp\PRINTDOC-26042023.exe ooooooooooooooo
  2⤵
  PID:4524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-133-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1684-134-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1684-135-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1684-136-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1684-137-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1684-150-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1684-151-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1684-152-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1684-153-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1684-180-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1684-166-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/1704-157-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1704-165-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1704-158-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1704-159-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1704-160-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1704-161-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1704-163-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1704-156-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1704-155-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/1704-169-0x0000000013140000-0x0000000013F1F000-memory.dmp

Filesize
13.9MB

Download
memory/4524-168-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/4524-167-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/4524-171-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/4524-173-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/4524-154-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing