bandook | e2e984b3044ab8f96ec284dc2af339923fb6cdded37a551125c899a1c60376a3

General

Target

1Solicitud de comprá.exe
Size

4.6MB
MD5

795d1f81ac926d3e071eacef70e595c1
SHA1

73301458ce9c775e6416fbe9f1921ecc4f69d099
SHA256

e2e984b3044ab8f96ec284dc2af339923fb6cdded37a551125c899a1c60376a3
SHA512

c436fd1ebc99d384c434e2b6b6494fefa7f18ccae6de755491ae03b234b6f08fcb616a5a60e89b6e80356cbf00c39ddc8e350e6bad8f23285498a906b9df5a85
SSDEEP

49152:nvPLNuoyGZVhMfUhJKehyrNru0bqMpjgK9aSN6wtiGe50oO6z7YYA698nTnUkcNW:nvPRBIsTKehy3

Score

10^/10

bandook rat trojan upx

Malware Config

Extracted

Family

bandook

C2

gombos.ru

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1820-79-0x0000000013140000-0x000000001400A000-memory.dmp	family_bandook
behavioral1/memory/1820-80-0x0000000013140000-0x000000001400A000-memory.dmp	family_bandook
behavioral1/memory/1820-85-0x0000000013140000-0x000000001400A000-memory.dmp	family_bandook
behavioral1/memory/1820-86-0x0000000013140000-0x000000001400A000-memory.dmp	family_bandook
behavioral1/memory/1820-87-0x0000000013140000-0x000000001400A000-memory.dmp	family_bandook
behavioral1/memory/1820-89-0x0000000013140000-0x000000001400A000-memory.dmp	family_bandook
behavioral1/memory/1820-91-0x0000000013140000-0x000000001400A000-memory.dmp	family_bandook

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1820-77-0x0000000013140000-0x000000001400A000-memory.dmp	upx
behavioral1/memory/1820-78-0x0000000013140000-0x000000001400A000-memory.dmp	upx
behavioral1/memory/1820-79-0x0000000013140000-0x000000001400A000-memory.dmp	upx
behavioral1/memory/1820-80-0x0000000013140000-0x000000001400A000-memory.dmp	upx
behavioral1/memory/1820-85-0x0000000013140000-0x000000001400A000-memory.dmp	upx
behavioral1/memory/1820-86-0x0000000013140000-0x000000001400A000-memory.dmp	upx
behavioral1/memory/1820-87-0x0000000013140000-0x000000001400A000-memory.dmp	upx
behavioral1/memory/1820-89-0x0000000013140000-0x000000001400A000-memory.dmp	upx
behavioral1/memory/1820-91-0x0000000013140000-0x000000001400A000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

msinfo32.exe

pid process

1820 msinfo32.exe

pid	process
1820	msinfo32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1Solicitud de comprá.exe

description	pid	process	target process
PID 1712 wrote to memory of 1820	1712	1Solicitud de comprá.exe	msinfo32.exe
PID 1712 wrote to memory of 1820	1712	1Solicitud de comprá.exe	msinfo32.exe
PID 1712 wrote to memory of 1820	1712	1Solicitud de comprá.exe	msinfo32.exe
PID 1712 wrote to memory of 1820	1712	1Solicitud de comprá.exe	msinfo32.exe
PID 1712 wrote to memory of 1820	1712	1Solicitud de comprá.exe	msinfo32.exe
PID 1712 wrote to memory of 1820	1712	1Solicitud de comprá.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\1Solicitud de comprá.exe
"C:\Users\Admin\AppData\Local\Temp\1Solicitud de comprá.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\windows\syswow64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1712-81-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/1712-56-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1712-54-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1712-57-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/1712-58-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/1712-59-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/1712-71-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/1712-72-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/1712-73-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/1712-55-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/1712-95-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/1820-75-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1820-78-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1820-79-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1820-80-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1820-77-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1820-85-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1820-86-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1820-87-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1820-89-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1820-91-0x0000000013140000-0x000000001400A000-memory.dmp

Filesize
14.8MB

Download
memory/1820-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads