bandook | a4d54caced8ab8b2b4b9ef47760b8cc1fde0ac27ae57d5d48905a5ae8149162d

General

Target

Doc-16052023 print.exe
Size

3.3MB
MD5

91a19b4692196d3f7bc3230c25430247
SHA1

4d69842ef8441edaafdcb5f3a6d30a0c4ad4a9eb
SHA256

a4d54caced8ab8b2b4b9ef47760b8cc1fde0ac27ae57d5d48905a5ae8149162d
SHA512

86ed8998da4523638e216d13bea5ad7a7987ddac2828a2ea607ad9806f5010d628a301960c3adc82433cd8de7732ffbf58e6e5fed6c6565f6ea6a69360f6e392
SSDEEP

49152:YOQ69Yu/GoMbr9oDY5ueIhCP7f9eAVrtxTEa6wc5YTHUuynwDDQF9dNA:Y

Score

10^/10

bandook rat trojan upx

Malware Config

Extracted

Family

bandook

C2

gombos.ru

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 15 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4872-158-0x0000000013140000-0x0000000014436000-memory.dmp	family_bandook
behavioral2/memory/4872-159-0x0000000013140000-0x0000000014436000-memory.dmp	family_bandook
behavioral2/memory/4872-160-0x0000000013140000-0x0000000014436000-memory.dmp	family_bandook
behavioral2/memory/4872-161-0x0000000013140000-0x0000000014436000-memory.dmp	family_bandook
behavioral2/memory/4872-163-0x0000000013140000-0x0000000014436000-memory.dmp	family_bandook
behavioral2/memory/4872-165-0x0000000013140000-0x0000000014436000-memory.dmp	family_bandook
behavioral2/memory/4872-169-0x0000000013140000-0x0000000014436000-memory.dmp	family_bandook
behavioral2/memory/4872-171-0x0000000013140000-0x0000000014436000-memory.dmp	family_bandook
behavioral2/memory/4872-179-0x0000000013140000-0x0000000014436000-memory.dmp	family_bandook
behavioral2/memory/4872-184-0x0000000013140000-0x0000000014436000-memory.dmp	family_bandook
behavioral2/memory/4872-185-0x0000000013140000-0x0000000014436000-memory.dmp	family_bandook
behavioral2/memory/4872-186-0x0000000013140000-0x0000000014436000-memory.dmp	family_bandook
behavioral2/memory/4872-188-0x0000000013140000-0x0000000014436000-memory.dmp	family_bandook
behavioral2/memory/4872-190-0x0000000013140000-0x0000000014436000-memory.dmp	family_bandook
behavioral2/memory/4872-192-0x0000000013140000-0x0000000014436000-memory.dmp	family_bandook

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4872-155-0x0000000013140000-0x0000000014436000-memory.dmp	upx
behavioral2/memory/4872-156-0x0000000013140000-0x0000000014436000-memory.dmp	upx
behavioral2/memory/4872-158-0x0000000013140000-0x0000000014436000-memory.dmp	upx
behavioral2/memory/4872-159-0x0000000013140000-0x0000000014436000-memory.dmp	upx
behavioral2/memory/4872-160-0x0000000013140000-0x0000000014436000-memory.dmp	upx
behavioral2/memory/4872-161-0x0000000013140000-0x0000000014436000-memory.dmp	upx
behavioral2/memory/4872-163-0x0000000013140000-0x0000000014436000-memory.dmp	upx
behavioral2/memory/4872-165-0x0000000013140000-0x0000000014436000-memory.dmp	upx
behavioral2/memory/4872-169-0x0000000013140000-0x0000000014436000-memory.dmp	upx
behavioral2/memory/4872-171-0x0000000013140000-0x0000000014436000-memory.dmp	upx
behavioral2/memory/4872-179-0x0000000013140000-0x0000000014436000-memory.dmp	upx
behavioral2/memory/4872-184-0x0000000013140000-0x0000000014436000-memory.dmp	upx
behavioral2/memory/4872-185-0x0000000013140000-0x0000000014436000-memory.dmp	upx
behavioral2/memory/4872-186-0x0000000013140000-0x0000000014436000-memory.dmp	upx
behavioral2/memory/4872-188-0x0000000013140000-0x0000000014436000-memory.dmp	upx
behavioral2/memory/4872-190-0x0000000013140000-0x0000000014436000-memory.dmp	upx
behavioral2/memory/4872-192-0x0000000013140000-0x0000000014436000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msinfo32.exe

pid process

4872 msinfo32.exe
4872 msinfo32.exe

pid	process
4872	msinfo32.exe
4872	msinfo32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Doc-16052023 print.exe

description	pid	process	target process
PID 4228 wrote to memory of 4872	4228	Doc-16052023 print.exe	msinfo32.exe
PID 4228 wrote to memory of 4872	4228	Doc-16052023 print.exe	msinfo32.exe
PID 4228 wrote to memory of 4872	4228	Doc-16052023 print.exe	msinfo32.exe
PID 4228 wrote to memory of 5008	4228	Doc-16052023 print.exe	Doc-16052023 print.exe
PID 4228 wrote to memory of 5008	4228	Doc-16052023 print.exe	Doc-16052023 print.exe
PID 4228 wrote to memory of 5008	4228	Doc-16052023 print.exe	Doc-16052023 print.exe
PID 4228 wrote to memory of 4872	4228	Doc-16052023 print.exe	msinfo32.exe
PID 4228 wrote to memory of 4872	4228	Doc-16052023 print.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\Doc-16052023 print.exe
"C:\Users\Admin\AppData\Local\Temp\Doc-16052023 print.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4228

C:\windows\SysWOW64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4872

C:\Users\Admin\AppData\Local\Temp\Doc-16052023 print.exe
"C:\Users\Admin\AppData\Local\Temp\Doc-16052023 print.exe" ooooooooooooooo
2⤵
PID:5008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4228-157-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/4228-134-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/4228-135-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4228-136-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/4228-137-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/4228-151-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/4228-152-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/4228-153-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/4228-133-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4872-160-0x0000000013140000-0x0000000014436000-memory.dmp

Filesize
19.0MB

Download
memory/4872-169-0x0000000013140000-0x0000000014436000-memory.dmp

Filesize
19.0MB

Download
memory/4872-155-0x0000000013140000-0x0000000014436000-memory.dmp

Filesize
19.0MB

Download
memory/4872-158-0x0000000013140000-0x0000000014436000-memory.dmp

Filesize
19.0MB

Download
memory/4872-159-0x0000000013140000-0x0000000014436000-memory.dmp

Filesize
19.0MB

Download
memory/4872-192-0x0000000013140000-0x0000000014436000-memory.dmp

Filesize
19.0MB

Download
memory/4872-161-0x0000000013140000-0x0000000014436000-memory.dmp

Filesize
19.0MB

Download
memory/4872-163-0x0000000013140000-0x0000000014436000-memory.dmp

Filesize
19.0MB

Download
memory/4872-165-0x0000000013140000-0x0000000014436000-memory.dmp

Filesize
19.0MB

Download
memory/4872-190-0x0000000013140000-0x0000000014436000-memory.dmp

Filesize
19.0MB

Download
memory/4872-188-0x0000000013140000-0x0000000014436000-memory.dmp

Filesize
19.0MB

Download
memory/4872-156-0x0000000013140000-0x0000000014436000-memory.dmp

Filesize
19.0MB

Download
memory/4872-186-0x0000000013140000-0x0000000014436000-memory.dmp

Filesize
19.0MB

Download
memory/4872-171-0x0000000013140000-0x0000000014436000-memory.dmp

Filesize
19.0MB

Download
memory/4872-185-0x0000000013140000-0x0000000014436000-memory.dmp

Filesize
19.0MB

Download
memory/4872-179-0x0000000013140000-0x0000000014436000-memory.dmp

Filesize
19.0MB

Download
memory/4872-184-0x0000000013140000-0x0000000014436000-memory.dmp

Filesize
19.0MB

Download
memory/5008-173-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/5008-170-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/5008-168-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/5008-166-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/5008-154-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads