bandook | 83b4e3a3f52a7fae6ca3ca2a955a6e1b13e9769248cb75b8561b5d60c26a18a0

General

Target

Envio de pago.exe
Size

5.9MB
MD5

186de479f8aaff2ed18aac1acf54b591
SHA1

84c43ddbd5eed1dac30374ac44cebb0adf1b52e8
SHA256

83b4e3a3f52a7fae6ca3ca2a955a6e1b13e9769248cb75b8561b5d60c26a18a0
SHA512

e88821331ff02e0b96769e9314291f920a0bb8d04bc7224dcd5638c3e11247203ed9d00ddbcd02e32368ef36175593fd475f50191092b65e1befd0544fe32c48
SSDEEP

49152:JFQPSP5e1ObxxpYflUaqtuu49nVaD/4H0lzDvQFEqLuhXJxs9Rp0D5zKDOmaQShr:JaPfe

Score

10^/10

bandook rat trojan upx

Malware Config

Extracted

Family

bandook

C2

humut.su

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1408-174-0x0000000013140000-0x0000000014751000-memory.dmp	family_bandook
behavioral2/memory/1408-175-0x0000000013140000-0x0000000014751000-memory.dmp	family_bandook
behavioral2/memory/1408-176-0x0000000013140000-0x0000000014751000-memory.dmp	family_bandook
behavioral2/memory/1408-177-0x0000000013140000-0x0000000014751000-memory.dmp	family_bandook
behavioral2/memory/1408-179-0x0000000013140000-0x0000000014751000-memory.dmp	family_bandook
behavioral2/memory/1408-181-0x0000000013140000-0x0000000014751000-memory.dmp	family_bandook
behavioral2/memory/1408-187-0x0000000013140000-0x0000000014751000-memory.dmp	family_bandook

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1408-172-0x0000000013140000-0x0000000014751000-memory.dmp	upx
behavioral2/memory/1408-173-0x0000000013140000-0x0000000014751000-memory.dmp	upx
behavioral2/memory/1408-174-0x0000000013140000-0x0000000014751000-memory.dmp	upx
behavioral2/memory/1408-175-0x0000000013140000-0x0000000014751000-memory.dmp	upx
behavioral2/memory/1408-176-0x0000000013140000-0x0000000014751000-memory.dmp	upx
behavioral2/memory/1408-177-0x0000000013140000-0x0000000014751000-memory.dmp	upx
behavioral2/memory/1408-179-0x0000000013140000-0x0000000014751000-memory.dmp	upx
behavioral2/memory/1408-181-0x0000000013140000-0x0000000014751000-memory.dmp	upx
behavioral2/memory/1408-187-0x0000000013140000-0x0000000014751000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msinfo32.exe

pid process

1408 msinfo32.exe
1408 msinfo32.exe

pid	process
1408	msinfo32.exe
1408	msinfo32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Envio de pago.exe

description	pid	process	target process
PID 4324 wrote to memory of 1408	4324	Envio de pago.exe	msinfo32.exe
PID 4324 wrote to memory of 1408	4324	Envio de pago.exe	msinfo32.exe
PID 4324 wrote to memory of 1408	4324	Envio de pago.exe	msinfo32.exe
PID 4324 wrote to memory of 2112	4324	Envio de pago.exe	Envio de pago.exe
PID 4324 wrote to memory of 2112	4324	Envio de pago.exe	Envio de pago.exe
PID 4324 wrote to memory of 2112	4324	Envio de pago.exe	Envio de pago.exe
PID 4324 wrote to memory of 1408	4324	Envio de pago.exe	msinfo32.exe
PID 4324 wrote to memory of 1408	4324	Envio de pago.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\Envio de pago.exe
"C:\Users\Admin\AppData\Local\Temp\Envio de pago.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4324

C:\windows\SysWOW64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1408

C:\Users\Admin\AppData\Local\Temp\Envio de pago.exe
"C:\Users\Admin\AppData\Local\Temp\Envio de pago.exe" ooooooooooooooo
2⤵
PID:2112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1408-172-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/1408-187-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/1408-181-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/1408-179-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/1408-177-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/1408-176-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/1408-175-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/1408-174-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/1408-173-0x0000000013140000-0x0000000014751000-memory.dmp

Filesize
22.1MB

Download
memory/2112-183-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/2112-185-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/2112-170-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/2112-190-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/2112-188-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/4324-168-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/4324-137-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/4324-135-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/4324-182-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/4324-133-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/4324-167-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/4324-134-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/4324-171-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/4324-169-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download
memory/4324-197-0x0000000000400000-0x00000000009FD000-memory.dmp

Filesize
6.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads