bandook | 981833615556263d376335312e04dcda5204a489a8362a8e7f69dd0c92cbe7c0

General

Target

Factura_de_pago#0101.exe
Size

10.3MB
MD5

3ca635e112a87190cc373651c35f65d3
SHA1

f7e87f471c5ef778771c3e8d14c4085550aac79a
SHA256

981833615556263d376335312e04dcda5204a489a8362a8e7f69dd0c92cbe7c0
SHA512

1fbff3366a83d34348697402b547972ea9165b55a5f441ede973a6777eb25093991099105493d1d41f2634d5873475342485d353414676c377f4771f781804e9
SSDEEP

49152:lRyNxSzbVQ8KjAEmNP7XZPGA+DBo6ZZbi/ogWokoimnR2B+8J+E9g1Vr/1FhOsjH:lRe

Score

10^/10

bandook rat trojan upx

Malware Config

Extracted

Family

bandook

C2

185.10.68.52

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2660-46-0x0000000013140000-0x000000001468A000-memory.dmp	family_bandook
behavioral1/memory/2660-45-0x0000000013140000-0x000000001468A000-memory.dmp	family_bandook
behavioral1/memory/2660-47-0x0000000013140000-0x000000001468A000-memory.dmp	family_bandook
behavioral1/memory/2660-48-0x0000000013140000-0x000000001468A000-memory.dmp	family_bandook
behavioral1/memory/2660-49-0x0000000013140000-0x000000001468A000-memory.dmp	family_bandook
behavioral1/memory/2660-51-0x0000000013140000-0x000000001468A000-memory.dmp	family_bandook
behavioral1/memory/2660-53-0x0000000013140000-0x000000001468A000-memory.dmp	family_bandook

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2660-43-0x0000000013140000-0x000000001468A000-memory.dmp	upx
behavioral1/memory/2660-44-0x0000000013140000-0x000000001468A000-memory.dmp	upx
behavioral1/memory/2660-46-0x0000000013140000-0x000000001468A000-memory.dmp	upx
behavioral1/memory/2660-45-0x0000000013140000-0x000000001468A000-memory.dmp	upx
behavioral1/memory/2660-47-0x0000000013140000-0x000000001468A000-memory.dmp	upx
behavioral1/memory/2660-48-0x0000000013140000-0x000000001468A000-memory.dmp	upx
behavioral1/memory/2660-49-0x0000000013140000-0x000000001468A000-memory.dmp	upx
behavioral1/memory/2660-51-0x0000000013140000-0x000000001468A000-memory.dmp	upx
behavioral1/memory/2660-53-0x0000000013140000-0x000000001468A000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

msinfo32.exe

pid process

2660 msinfo32.exe

pid	process
2660	msinfo32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Factura_de_pago#0101.exe

description	pid	process	target process
PID 2044 wrote to memory of 2660	2044	Factura_de_pago#0101.exe	msinfo32.exe
PID 2044 wrote to memory of 2660	2044	Factura_de_pago#0101.exe	msinfo32.exe
PID 2044 wrote to memory of 2660	2044	Factura_de_pago#0101.exe	msinfo32.exe
PID 2044 wrote to memory of 2660	2044	Factura_de_pago#0101.exe	msinfo32.exe
PID 2044 wrote to memory of 2536	2044	Factura_de_pago#0101.exe	Factura_de_pago#0101.exe
PID 2044 wrote to memory of 2536	2044	Factura_de_pago#0101.exe	Factura_de_pago#0101.exe
PID 2044 wrote to memory of 2536	2044	Factura_de_pago#0101.exe	Factura_de_pago#0101.exe
PID 2044 wrote to memory of 2536	2044	Factura_de_pago#0101.exe	Factura_de_pago#0101.exe
PID 2044 wrote to memory of 2660	2044	Factura_de_pago#0101.exe	msinfo32.exe
PID 2044 wrote to memory of 2660	2044	Factura_de_pago#0101.exe	msinfo32.exe

C:\Users\Admin\AppData\Local\Temp\Factura_de_pago#0101.exe
"C:\Users\Admin\AppData\Local\Temp\Factura_de_pago#0101.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\windows\syswow64\msinfo32.exe
  C:\windows\syswow64\msinfo32.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2660
- C:\Users\Admin\AppData\Local\Temp\Factura_de_pago#0101.exe
  C:\Users\Admin\AppData\Local\Temp\Factura_de_pago#0101.exe ooooooooooooooo
  2⤵
  PID:2536

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2044-36-0x0000000000400000-0x0000000000E57000-memory.dmp

Filesize
10.3MB

Download
memory/2044-56-0x0000000000400000-0x0000000000E57000-memory.dmp

Filesize
10.3MB

Download
memory/2044-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2044-3-0x0000000000400000-0x0000000000E57000-memory.dmp

Filesize
10.3MB

Download
memory/2044-4-0x0000000000400000-0x0000000000E57000-memory.dmp

Filesize
10.3MB

Download
memory/2044-35-0x0000000000400000-0x0000000000E57000-memory.dmp

Filesize
10.3MB

Download
memory/2044-1-0x0000000000400000-0x0000000000E57000-memory.dmp

Filesize
10.3MB

Download
memory/2044-37-0x0000000000400000-0x0000000000E57000-memory.dmp

Filesize
10.3MB

Download
memory/2044-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2044-40-0x0000000000400000-0x0000000000E57000-memory.dmp

Filesize
10.3MB

Download
memory/2536-54-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2536-38-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2536-57-0x0000000000400000-0x0000000000E57000-memory.dmp

Filesize
10.3MB

Download
memory/2536-55-0x0000000000400000-0x0000000000E57000-memory.dmp

Filesize
10.3MB

Download
memory/2660-43-0x0000000013140000-0x000000001468A000-memory.dmp

Filesize
21.3MB

Download
memory/2660-45-0x0000000013140000-0x000000001468A000-memory.dmp

Filesize
21.3MB

Download
memory/2660-47-0x0000000013140000-0x000000001468A000-memory.dmp

Filesize
21.3MB

Download
memory/2660-48-0x0000000013140000-0x000000001468A000-memory.dmp

Filesize
21.3MB

Download
memory/2660-49-0x0000000013140000-0x000000001468A000-memory.dmp

Filesize
21.3MB

Download
memory/2660-51-0x0000000013140000-0x000000001468A000-memory.dmp

Filesize
21.3MB

Download
memory/2660-53-0x0000000013140000-0x000000001468A000-memory.dmp

Filesize
21.3MB

Download
memory/2660-46-0x0000000013140000-0x000000001468A000-memory.dmp

Filesize
21.3MB

Download
memory/2660-44-0x0000000013140000-0x000000001468A000-memory.dmp

Filesize
21.3MB

Download
memory/2660-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2660-39-0x0000000013140000-0x000000001468A000-memory.dmp

Filesize
21.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads