bandook | 83b4e3a3f52a7fae6ca3ca2a955a6e1b13e9769248cb75b8561b5d60c26a18a0

General

Target

Envio de pago.exe
Size

5.9MB
MD5

186de479f8aaff2ed18aac1acf54b591
SHA1

84c43ddbd5eed1dac30374ac44cebb0adf1b52e8
SHA256

83b4e3a3f52a7fae6ca3ca2a955a6e1b13e9769248cb75b8561b5d60c26a18a0
SHA512

e88821331ff02e0b96769e9314291f920a0bb8d04bc7224dcd5638c3e11247203ed9d00ddbcd02e32368ef36175593fd475f50191092b65e1befd0544fe32c48
SSDEEP

49152:JFQPSP5e1ObxxpYflUaqtuu49nVaD/4H0lzDvQFEqLuhXJxs9Rp0D5zKDOmaQShr:JaPfe

Score

10^/10

bandook rat trojan upx

Malware Config

Extracted

Family

bandook

C2

humut.su

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 8 IoCs

resource	yara_rule
behavioral1/memory/112-98-0x0000000013140000-0x0000000014751000-memory.dmp	family_bandook
behavioral1/memory/112-99-0x0000000013140000-0x0000000014751000-memory.dmp	family_bandook
behavioral1/memory/112-100-0x0000000013140000-0x0000000014751000-memory.dmp	family_bandook
behavioral1/memory/112-101-0x0000000013140000-0x0000000014751000-memory.dmp	family_bandook
behavioral1/memory/112-102-0x0000000013140000-0x0000000014751000-memory.dmp	family_bandook
behavioral1/memory/112-104-0x0000000013140000-0x0000000014751000-memory.dmp	family_bandook
behavioral1/memory/112-106-0x0000000013140000-0x0000000014751000-memory.dmp	family_bandook
behavioral1/memory/112-112-0x0000000013140000-0x0000000014751000-memory.dmp	family_bandook

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/112-96-0x0000000013140000-0x0000000014751000-memory.dmp	upx
behavioral1/memory/112-97-0x0000000013140000-0x0000000014751000-memory.dmp	upx
behavioral1/memory/112-98-0x0000000013140000-0x0000000014751000-memory.dmp	upx
behavioral1/memory/112-99-0x0000000013140000-0x0000000014751000-memory.dmp	upx
behavioral1/memory/112-100-0x0000000013140000-0x0000000014751000-memory.dmp	upx
behavioral1/memory/112-101-0x0000000013140000-0x0000000014751000-memory.dmp	upx
behavioral1/memory/112-102-0x0000000013140000-0x0000000014751000-memory.dmp	upx
behavioral1/memory/112-104-0x0000000013140000-0x0000000014751000-memory.dmp	upx
behavioral1/memory/112-106-0x0000000013140000-0x0000000014751000-memory.dmp	upx
behavioral1/memory/112-112-0x0000000013140000-0x0000000014751000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
112	msinfo32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 112	1244	Envio de pago.exe	28
PID 1244 wrote to memory of 112	1244	Envio de pago.exe	28
PID 1244 wrote to memory of 112	1244	Envio de pago.exe	28
PID 1244 wrote to memory of 112	1244	Envio de pago.exe	28
PID 1244 wrote to memory of 900	1244	Envio de pago.exe	29
PID 1244 wrote to memory of 900	1244	Envio de pago.exe	29
PID 1244 wrote to memory of 900	1244	Envio de pago.exe	29
PID 1244 wrote to memory of 900	1244	Envio de pago.exe	29
PID 1244 wrote to memory of 112	1244	Envio de pago.exe	28
PID 1244 wrote to memory of 112	1244	Envio de pago.exe	28

C:\Users\Admin\AppData\Local\Temp\Envio de pago.exe
"C:\Users\Admin\AppData\Local\Temp\Envio de pago.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1244
- C:\windows\syswow64\msinfo32.exe
  C:\windows\syswow64\msinfo32.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:112
- C:\Users\Admin\AppData\Local\Temp\Envio de pago.exe
  "C:\Users\Admin\AppData\Local\Temp\Envio de pago.exe" ooooooooooooooo
  2⤵
  PID:900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/112-106-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/112-95-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/112-98-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/112-97-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/112-100-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/112-101-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/112-112-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/112-99-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/112-102-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/112-104-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/112-96-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/112-94-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/900-114-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/900-107-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/900-92-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/900-109-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/900-110-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/900-115-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/1244-91-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/1244-56-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1244-122-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/1244-54-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1244-93-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/1244-108-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/1244-55-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/1244-90-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/1244-89-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/1244-59-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/1244-58-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/1244-57-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download

Analysis

Sharing