bandook | 0ec125785855329c5cf9dc57e0d43c1aa9dd102068e86509321a0f96dbe5213f

General

Target

7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc.exe
Size

5.4MB
MD5

e81aef3c68dcdbd2fa9f34cdf438069d
SHA1

7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc
SHA256

4171d999ac09b358f1ecdeb7ff4bdd1fe368e8d2beab2b34d1b3a9ae165e6005
SHA512

01beb65f1acd99ea753a9ac903591240960733d927fa99fce34ae411843fa2f4225212d7e901edacc137fd2c8e8a97efb54018db8ace417f258d2f8e4d19e3e2
SSDEEP

49152:XcJ48N5owU9jYLEGPsuVZe1GAMXC4ll+8iBMmARC6y+9Vsl8DW7YeQv/53TGdwiI:sq8AwIU

Score

10^/10

bandook persistence rat trojan upx

Malware Config

Extracted

Family

bandook

C2

185.10.68.52

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 16 IoCs

resource	yara_rule
behavioral1/memory/2916-175-0x0000000013140000-0x0000000014246000-memory.dmp	family_bandook
behavioral1/memory/2916-176-0x0000000013140000-0x0000000014246000-memory.dmp	family_bandook
behavioral1/memory/2916-177-0x0000000013140000-0x0000000014246000-memory.dmp	family_bandook
behavioral1/memory/2916-178-0x0000000013140000-0x0000000014246000-memory.dmp	family_bandook
behavioral1/memory/2916-179-0x0000000013140000-0x0000000014246000-memory.dmp	family_bandook
behavioral1/memory/2916-181-0x0000000013140000-0x0000000014246000-memory.dmp	family_bandook
behavioral1/memory/2916-184-0x0000000013140000-0x0000000014246000-memory.dmp	family_bandook
behavioral1/memory/2916-187-0x0000000013140000-0x0000000014246000-memory.dmp	family_bandook
behavioral1/memory/2916-194-0x0000000013140000-0x0000000014246000-memory.dmp	family_bandook
behavioral1/memory/2916-195-0x0000000013140000-0x0000000014246000-memory.dmp	family_bandook
behavioral1/memory/2916-196-0x0000000013140000-0x0000000014246000-memory.dmp	family_bandook
behavioral1/memory/2916-197-0x0000000013140000-0x0000000014246000-memory.dmp	family_bandook
behavioral1/memory/2916-199-0x0000000013140000-0x0000000014246000-memory.dmp	family_bandook
behavioral1/memory/2916-200-0x0000000013140000-0x0000000014246000-memory.dmp	family_bandook
behavioral1/memory/232-286-0x0000000013140000-0x0000000014246000-memory.dmp	family_bandook
behavioral1/memory/232-289-0x0000000013140000-0x0000000014246000-memory.dmp	family_bandook

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2916-172-0x0000000013140000-0x0000000014246000-memory.dmp	upx
behavioral1/memory/2916-174-0x0000000013140000-0x0000000014246000-memory.dmp	upx
behavioral1/memory/2916-175-0x0000000013140000-0x0000000014246000-memory.dmp	upx
behavioral1/memory/2916-176-0x0000000013140000-0x0000000014246000-memory.dmp	upx
behavioral1/memory/2916-177-0x0000000013140000-0x0000000014246000-memory.dmp	upx
behavioral1/memory/2916-178-0x0000000013140000-0x0000000014246000-memory.dmp	upx
behavioral1/memory/2916-179-0x0000000013140000-0x0000000014246000-memory.dmp	upx
behavioral1/memory/2916-181-0x0000000013140000-0x0000000014246000-memory.dmp	upx
behavioral1/memory/2916-184-0x0000000013140000-0x0000000014246000-memory.dmp	upx
behavioral1/memory/2916-187-0x0000000013140000-0x0000000014246000-memory.dmp	upx
behavioral1/memory/2916-194-0x0000000013140000-0x0000000014246000-memory.dmp	upx
behavioral1/memory/2916-195-0x0000000013140000-0x0000000014246000-memory.dmp	upx
behavioral1/memory/2916-196-0x0000000013140000-0x0000000014246000-memory.dmp	upx
behavioral1/memory/2916-197-0x0000000013140000-0x0000000014246000-memory.dmp	upx
behavioral1/memory/2916-199-0x0000000013140000-0x0000000014246000-memory.dmp	upx
behavioral1/memory/2916-200-0x0000000013140000-0x0000000014246000-memory.dmp	upx
behavioral1/memory/232-286-0x0000000013140000-0x0000000014246000-memory.dmp	upx
behavioral1/memory/232-289-0x0000000013140000-0x0000000014246000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Windows\CurrentVersion\Run	msinfo32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TGS = "C:\\Users\\Admin\\AppData\\Roaming\\TGS\\TGS.exe"	msinfo32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2916	msinfo32.exe
2916	msinfo32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2916	1484	7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc.exe	108
PID 1484 wrote to memory of 2916	1484	7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc.exe	108
PID 1484 wrote to memory of 2916	1484	7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc.exe	108
PID 1484 wrote to memory of 4820	1484	7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc.exe	109
PID 1484 wrote to memory of 4820	1484	7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc.exe	109
PID 1484 wrote to memory of 4820	1484	7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc.exe	109
PID 1484 wrote to memory of 2916	1484	7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc.exe	108
PID 1484 wrote to memory of 2916	1484	7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc.exe	108
PID 4820 wrote to memory of 232	4820	7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc.exe	110
PID 4820 wrote to memory of 232	4820	7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc.exe	110
PID 4820 wrote to memory of 232	4820	7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc.exe	110
PID 4820 wrote to memory of 232	4820	7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc.exe	110
PID 4820 wrote to memory of 232	4820	7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc.exe	110

C:\Users\Admin\AppData\Local\Temp\7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc.exe
"C:\Users\Admin\AppData\Local\Temp\7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1484
- C:\windows\SysWOW64\msinfo32.exe
  C:\windows\syswow64\msinfo32.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc.exe
  C:\Users\Admin\AppData\Local\Temp\7d4dcff5a13e4ae85a620e5bf234af39f55ce0cc.exe ooooooooooooooo
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\windows\SysWOW64\msinfo32.exe
    C:\windows\syswow64\msinfo32.exe
    3⤵
    - Adds Run key to start application
    PID:232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/232-289-0x0000000013140000-0x0000000014246000-memory.dmp

Filesize
17.0MB

Download
memory/232-286-0x0000000013140000-0x0000000014246000-memory.dmp

Filesize
17.0MB

Download
memory/1484-133-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/1484-134-0x0000000000400000-0x000000000097F000-memory.dmp

Filesize
5.5MB

Download
memory/1484-135-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/1484-136-0x0000000000400000-0x000000000097F000-memory.dmp

Filesize
5.5MB

Download
memory/1484-137-0x0000000000400000-0x000000000097F000-memory.dmp

Filesize
5.5MB

Download
memory/1484-168-0x0000000000400000-0x000000000097F000-memory.dmp

Filesize
5.5MB

Download
memory/1484-169-0x0000000000400000-0x000000000097F000-memory.dmp

Filesize
5.5MB

Download
memory/1484-170-0x0000000000400000-0x000000000097F000-memory.dmp

Filesize
5.5MB

Download
memory/1484-173-0x0000000000400000-0x000000000097F000-memory.dmp

Filesize
5.5MB

Download
memory/2916-194-0x0000000013140000-0x0000000014246000-memory.dmp

Filesize
17.0MB

Download
memory/2916-197-0x0000000013140000-0x0000000014246000-memory.dmp

Filesize
17.0MB

Download
memory/2916-176-0x0000000013140000-0x0000000014246000-memory.dmp

Filesize
17.0MB

Download
memory/2916-177-0x0000000013140000-0x0000000014246000-memory.dmp

Filesize
17.0MB

Download
memory/2916-178-0x0000000013140000-0x0000000014246000-memory.dmp

Filesize
17.0MB

Download
memory/2916-179-0x0000000013140000-0x0000000014246000-memory.dmp

Filesize
17.0MB

Download
memory/2916-181-0x0000000013140000-0x0000000014246000-memory.dmp

Filesize
17.0MB

Download
memory/2916-172-0x0000000013140000-0x0000000014246000-memory.dmp

Filesize
17.0MB

Download
memory/2916-184-0x0000000013140000-0x0000000014246000-memory.dmp

Filesize
17.0MB

Download
memory/2916-200-0x0000000013140000-0x0000000014246000-memory.dmp

Filesize
17.0MB

Download
memory/2916-187-0x0000000013140000-0x0000000014246000-memory.dmp

Filesize
17.0MB

Download
memory/2916-199-0x0000000013140000-0x0000000014246000-memory.dmp

Filesize
17.0MB

Download
memory/2916-175-0x0000000013140000-0x0000000014246000-memory.dmp

Filesize
17.0MB

Download
memory/2916-174-0x0000000013140000-0x0000000014246000-memory.dmp

Filesize
17.0MB

Download
memory/2916-195-0x0000000013140000-0x0000000014246000-memory.dmp

Filesize
17.0MB

Download
memory/2916-196-0x0000000013140000-0x0000000014246000-memory.dmp

Filesize
17.0MB

Download
memory/4820-192-0x0000000000400000-0x000000000097F000-memory.dmp

Filesize
5.5MB

Download
memory/4820-190-0x0000000000400000-0x000000000097F000-memory.dmp

Filesize
5.5MB

Download
memory/4820-186-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/4820-185-0x0000000000400000-0x000000000097F000-memory.dmp

Filesize
5.5MB

Download
memory/4820-171-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing