bandook | 8f1ede8e647860581f1baa5f3c5eed5d4e8bbfd64ddfe896f9a92106d1ef19f3

General

Target

b7edddb3d7041c22515c911b667c0150N.exe
Size

1.2MB
MD5

b7edddb3d7041c22515c911b667c0150
SHA1

3281cf78a8584b1498c064be10d3418bd221b29c
SHA256

8f1ede8e647860581f1baa5f3c5eed5d4e8bbfd64ddfe896f9a92106d1ef19f3
SHA512

f2a10053bcfffdbf14c7042b069369551e0b974d9524ac4e9ad70656a510e59b095acf391d3660b448da4059ad33537e48a90243df8a70967cfb4edfa7b7c46a
SSDEEP

24576:2ryExVz6NBWgLSffv5b8zJE8WipL5Nbs85ak:24aF8KiZ5u

Score

10^/10

bandook discovery persistence rat trojan

Malware Config

Extracted

Family

bandook

C2

ezeigbo.ddns.net

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 4 IoCs

resource	yara_rule
behavioral2/memory/3248-5-0x0000000013140000-0x0000000013B93000-memory.dmp	family_bandook
behavioral2/memory/3248-7-0x0000000013140000-0x0000000013B93000-memory.dmp	family_bandook
behavioral2/memory/3248-9-0x0000000013140000-0x0000000013B93000-memory.dmp	family_bandook
behavioral2/memory/3248-10-0x0000000013140000-0x0000000013B93000-memory.dmp	family_bandook

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KLIM = "C:\\Users\\Admin\\AppData\\Roaming\\KLMS\\klim.exe"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KLIM = "C:\\Users\\Admin\\AppData\\Roaming\\KLMS\\klim.exe"	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4936 set thread context of 3248	4936	b7edddb3d7041c22515c911b667c0150N.exe	95

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7edddb3d7041c22515c911b667c0150N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7edddb3d7041c22515c911b667c0150N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 3248	4936	b7edddb3d7041c22515c911b667c0150N.exe	95
PID 4936 wrote to memory of 3248	4936	b7edddb3d7041c22515c911b667c0150N.exe	95
PID 4936 wrote to memory of 3248	4936	b7edddb3d7041c22515c911b667c0150N.exe	95
PID 4936 wrote to memory of 3248	4936	b7edddb3d7041c22515c911b667c0150N.exe	95
PID 4936 wrote to memory of 3248	4936	b7edddb3d7041c22515c911b667c0150N.exe	95
PID 3248 wrote to memory of 3220	3248	b7edddb3d7041c22515c911b667c0150N.exe	96
PID 3248 wrote to memory of 3220	3248	b7edddb3d7041c22515c911b667c0150N.exe	96
PID 3248 wrote to memory of 3220	3248	b7edddb3d7041c22515c911b667c0150N.exe	96
PID 3248 wrote to memory of 3220	3248	b7edddb3d7041c22515c911b667c0150N.exe	96
PID 3248 wrote to memory of 1620	3248	b7edddb3d7041c22515c911b667c0150N.exe	97
PID 3248 wrote to memory of 1620	3248	b7edddb3d7041c22515c911b667c0150N.exe	97
PID 3248 wrote to memory of 1620	3248	b7edddb3d7041c22515c911b667c0150N.exe	97
PID 3248 wrote to memory of 1620	3248	b7edddb3d7041c22515c911b667c0150N.exe	97
PID 3248 wrote to memory of 2604	3248	b7edddb3d7041c22515c911b667c0150N.exe	98
PID 3248 wrote to memory of 2604	3248	b7edddb3d7041c22515c911b667c0150N.exe	98
PID 3248 wrote to memory of 2604	3248	b7edddb3d7041c22515c911b667c0150N.exe	98
PID 3248 wrote to memory of 2604	3248	b7edddb3d7041c22515c911b667c0150N.exe	98
PID 3248 wrote to memory of 1068	3248	b7edddb3d7041c22515c911b667c0150N.exe	99
PID 3248 wrote to memory of 1068	3248	b7edddb3d7041c22515c911b667c0150N.exe	99
PID 3248 wrote to memory of 1068	3248	b7edddb3d7041c22515c911b667c0150N.exe	99
PID 3248 wrote to memory of 1068	3248	b7edddb3d7041c22515c911b667c0150N.exe	99

C:\Users\Admin\AppData\Local\Temp\b7edddb3d7041c22515c911b667c0150N.exe
"C:\Users\Admin\AppData\Local\Temp\b7edddb3d7041c22515c911b667c0150N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\b7edddb3d7041c22515c911b667c0150N.exe
  "C:\Users\Admin\AppData\Local\Temp\b7edddb3d7041c22515c911b667c0150N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3220
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1620
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2604
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\KLMS\klim.exe

Filesize
1.2MB

MD5
b7edddb3d7041c22515c911b667c0150

SHA1
3281cf78a8584b1498c064be10d3418bd221b29c

SHA256
8f1ede8e647860581f1baa5f3c5eed5d4e8bbfd64ddfe896f9a92106d1ef19f3

SHA512
f2a10053bcfffdbf14c7042b069369551e0b974d9524ac4e9ad70656a510e59b095acf391d3660b448da4059ad33537e48a90243df8a70967cfb4edfa7b7c46a

Download Submit
memory/3248-5-0x0000000013140000-0x0000000013B93000-memory.dmp

Filesize
10.3MB

Download
memory/3248-7-0x0000000013140000-0x0000000013B93000-memory.dmp

Filesize
10.3MB

Download
memory/3248-9-0x0000000013140000-0x0000000013B93000-memory.dmp

Filesize
10.3MB

Download
memory/3248-10-0x0000000013140000-0x0000000013B93000-memory.dmp

Filesize
10.3MB

Download
memory/4936-0-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/4936-2-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/4936-1-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/4936-8-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads