bandook | c6cc299e6844352e287014b48ab1d2ee4963e3c19c2c108404344e0c02a204f4

General

Target

Factura_Cancelada #9665.exe
Size

2.5MB
MD5

1364bf7f610d63e3acae29a01fa7fc42
SHA1

d172088d17333c8547c887776bb202612a99cdf3
SHA256

c6cc299e6844352e287014b48ab1d2ee4963e3c19c2c108404344e0c02a204f4
SHA512

6af13f82dc2701d889ca402d25f20a1fdc564ade14fb00a57cbe4045bf509a9350decea951a6737a94a1d45a4c22786a6c8720d99f40e028eff9ff55cffbe65e
SSDEEP

24576:L1bMBO5V78tQYqSb8mvc68VQhQ1pMj0DRq+5xHsWVBYIpf8FVpE4mlTFXv/+XmJX:LbVOO16wDRN5DKBtBmzXMZhqkX9S

Score

10^/10

bandook rat trojan upx

Malware Config

Extracted

Family

bandook

C2

gombos.ru

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4164-156-0x0000000013140000-0x0000000013D94000-memory.dmp	family_bandook
behavioral2/memory/4164-158-0x0000000013140000-0x0000000013D94000-memory.dmp	family_bandook
behavioral2/memory/4164-159-0x0000000013140000-0x0000000013D94000-memory.dmp	family_bandook
behavioral2/memory/4164-160-0x0000000013140000-0x0000000013D94000-memory.dmp	family_bandook
behavioral2/memory/4164-161-0x0000000013140000-0x0000000013D94000-memory.dmp	family_bandook
behavioral2/memory/4164-163-0x0000000013140000-0x0000000013D94000-memory.dmp	family_bandook
behavioral2/memory/4164-165-0x0000000013140000-0x0000000013D94000-memory.dmp	family_bandook
behavioral2/memory/4164-169-0x0000000013140000-0x0000000013D94000-memory.dmp	family_bandook

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4164-154-0x0000000013140000-0x0000000013D94000-memory.dmp	upx
behavioral2/memory/4164-155-0x0000000013140000-0x0000000013D94000-memory.dmp	upx
behavioral2/memory/4164-156-0x0000000013140000-0x0000000013D94000-memory.dmp	upx
behavioral2/memory/4164-158-0x0000000013140000-0x0000000013D94000-memory.dmp	upx
behavioral2/memory/4164-159-0x0000000013140000-0x0000000013D94000-memory.dmp	upx
behavioral2/memory/4164-160-0x0000000013140000-0x0000000013D94000-memory.dmp	upx
behavioral2/memory/4164-161-0x0000000013140000-0x0000000013D94000-memory.dmp	upx
behavioral2/memory/4164-163-0x0000000013140000-0x0000000013D94000-memory.dmp	upx
behavioral2/memory/4164-165-0x0000000013140000-0x0000000013D94000-memory.dmp	upx
behavioral2/memory/4164-169-0x0000000013140000-0x0000000013D94000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msinfo32.exe

pid process

4164 msinfo32.exe
4164 msinfo32.exe

pid	process
4164	msinfo32.exe
4164	msinfo32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Factura_Cancelada #9665.exe

description	pid	process	target process
PID 4668 wrote to memory of 4164	4668	Factura_Cancelada #9665.exe	msinfo32.exe
PID 4668 wrote to memory of 4164	4668	Factura_Cancelada #9665.exe	msinfo32.exe
PID 4668 wrote to memory of 4164	4668	Factura_Cancelada #9665.exe	msinfo32.exe
PID 4668 wrote to memory of 4916	4668	Factura_Cancelada #9665.exe	Factura_Cancelada #9665.exe
PID 4668 wrote to memory of 4916	4668	Factura_Cancelada #9665.exe	Factura_Cancelada #9665.exe
PID 4668 wrote to memory of 4916	4668	Factura_Cancelada #9665.exe	Factura_Cancelada #9665.exe
PID 4668 wrote to memory of 4164	4668	Factura_Cancelada #9665.exe	msinfo32.exe
PID 4668 wrote to memory of 4164	4668	Factura_Cancelada #9665.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\Factura_Cancelada #9665.exe
"C:\Users\Admin\AppData\Local\Temp\Factura_Cancelada #9665.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4668

C:\windows\SysWOW64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4164

C:\Users\Admin\AppData\Local\Temp\Factura_Cancelada #9665.exe
"C:\Users\Admin\AppData\Local\Temp\Factura_Cancelada #9665.exe" ooooooooooooooo
2⤵
PID:4916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4164-161-0x0000000013140000-0x0000000013D94000-memory.dmp

Filesize
12.3MB

Download
memory/4164-155-0x0000000013140000-0x0000000013D94000-memory.dmp

Filesize
12.3MB

Download
memory/4164-156-0x0000000013140000-0x0000000013D94000-memory.dmp

Filesize
12.3MB

Download
memory/4164-169-0x0000000013140000-0x0000000013D94000-memory.dmp

Filesize
12.3MB

Download
memory/4164-165-0x0000000013140000-0x0000000013D94000-memory.dmp

Filesize
12.3MB

Download
memory/4164-163-0x0000000013140000-0x0000000013D94000-memory.dmp

Filesize
12.3MB

Download
memory/4164-160-0x0000000013140000-0x0000000013D94000-memory.dmp

Filesize
12.3MB

Download
memory/4164-159-0x0000000013140000-0x0000000013D94000-memory.dmp

Filesize
12.3MB

Download
memory/4164-154-0x0000000013140000-0x0000000013D94000-memory.dmp

Filesize
12.3MB

Download
memory/4164-158-0x0000000013140000-0x0000000013D94000-memory.dmp

Filesize
12.3MB

Download
memory/4668-152-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/4668-181-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/4668-135-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/4668-134-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/4668-133-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4668-151-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/4668-150-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/4668-136-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/4668-157-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/4916-153-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/4916-166-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/4916-168-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/4916-172-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads