bandook | 34bc03f62cce398c53c910f9c2c3aae2d081417a82f744c09426ff29525eda82

General

Target

REPORTE DE PAGO-1.exe
Size

2.6MB
MD5

ef51568300ae7e7c78e27e5503a4f955
SHA1

c54415dadc7fa711122d92963d9d3823637b2b99
SHA256

34bc03f62cce398c53c910f9c2c3aae2d081417a82f744c09426ff29525eda82
SHA512

f18c10e979d7a962cd38dd399bed1258b429adc92ca19c38788691a8f851efbfebdcadd7c600b64573b34b7e12c67140862d91304251fc0e9b1a25106cafec88
SSDEEP

49152:RfEMHawa0Tns5D2b0+XFUlJ1qVNVWDawSmpwjw2e:Rq

Score

10^/10

bandook rat trojan upx

Malware Config

Extracted

Family

bandook

C2

deapproved.ru

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 8 IoCs

resource	yara_rule
behavioral2/memory/4372-157-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral2/memory/4372-156-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral2/memory/4372-158-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral2/memory/4372-159-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral2/memory/4372-160-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral2/memory/4372-162-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral2/memory/4372-164-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook
behavioral2/memory/4372-168-0x0000000013140000-0x0000000014009000-memory.dmp	family_bandook

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4372-153-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/4372-154-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/4372-157-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/4372-156-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/4372-158-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/4372-159-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/4372-160-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/4372-162-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/4372-164-0x0000000013140000-0x0000000014009000-memory.dmp	upx
behavioral2/memory/4372-168-0x0000000013140000-0x0000000014009000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4372	msinfo32.exe
4372	msinfo32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 4372	4416	REPORTE DE PAGO-1.exe	91
PID 4416 wrote to memory of 4372	4416	REPORTE DE PAGO-1.exe	91
PID 4416 wrote to memory of 4372	4416	REPORTE DE PAGO-1.exe	91
PID 4416 wrote to memory of 860	4416	REPORTE DE PAGO-1.exe	92
PID 4416 wrote to memory of 860	4416	REPORTE DE PAGO-1.exe	92
PID 4416 wrote to memory of 860	4416	REPORTE DE PAGO-1.exe	92
PID 4416 wrote to memory of 4372	4416	REPORTE DE PAGO-1.exe	91
PID 4416 wrote to memory of 4372	4416	REPORTE DE PAGO-1.exe	91

C:\Users\Admin\AppData\Local\Temp\REPORTE DE PAGO-1.exe
"C:\Users\Admin\AppData\Local\Temp\REPORTE DE PAGO-1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4416
- C:\windows\SysWOW64\msinfo32.exe
  C:\windows\syswow64\msinfo32.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4372
- C:\Users\Admin\AppData\Local\Temp\REPORTE DE PAGO-1.exe
  "C:\Users\Admin\AppData\Local\Temp\REPORTE DE PAGO-1.exe" ooooooooooooooo
  2⤵
  PID:860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/860-152-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/860-171-0x0000000000400000-0x00000000006AB000-memory.dmp

Filesize
2.7MB

Download
memory/860-169-0x0000000000400000-0x00000000006AB000-memory.dmp

Filesize
2.7MB

Download
memory/860-167-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/860-165-0x0000000000400000-0x00000000006AB000-memory.dmp

Filesize
2.7MB

Download
memory/4372-156-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/4372-160-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/4372-168-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/4372-153-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/4372-154-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/4372-164-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/4372-157-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/4372-162-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/4372-158-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/4372-159-0x0000000013140000-0x0000000014009000-memory.dmp

Filesize
14.8MB

Download
memory/4416-155-0x0000000000400000-0x00000000006AB000-memory.dmp

Filesize
2.7MB

Download
memory/4416-133-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/4416-151-0x0000000000400000-0x00000000006AB000-memory.dmp

Filesize
2.7MB

Download
memory/4416-149-0x0000000000400000-0x00000000006AB000-memory.dmp

Filesize
2.7MB

Download
memory/4416-136-0x0000000000400000-0x00000000006AB000-memory.dmp

Filesize
2.7MB

Download
memory/4416-150-0x0000000000400000-0x00000000006AB000-memory.dmp

Filesize
2.7MB

Download
memory/4416-135-0x0000000000400000-0x00000000006AB000-memory.dmp

Filesize
2.7MB

Download
memory/4416-134-0x0000000000400000-0x00000000006AB000-memory.dmp

Filesize
2.7MB

Download
memory/4416-180-0x0000000000400000-0x00000000006AB000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing