Bandook is a remote access trojan that has been continuously developed since it was first detected in 2007. It has been used in various campaigns by different threat actors over the years. Recently, FortiGuard Labs identified a new Bandook variant being distributed via a PDF file that contains a shortened URL that downloads a password-protected .7z file. After the victim extracts the malware with the password in the PDF file, the malware injects its payload into msinfo32.exe. This new variant of Bandook is being distributed via a Spanish PDF file.
IoC
MD5
- 5b49b856ed078c80306a6f190c445138
- 695ebe3e45a89552d7dabbc2b972ed66
- cc9283299523aed18b5c82c22b0b9f27
- d3577d76430cf9910df854e066331f56
SHA1
- 33c172779ac7117e30d37a6fe26361b2175cae03
- 89f1e932cc37e4515433696e3963bb3163cc4927
- 90e8f60e0b1f19da57011fba19c04fab0614e757
- efbeec9846500b7d54d7fbc51de78b92976d1bbc
SHA256
- 2e7998a8df9491dad978dee76c63cb1493945b9cf198d856a395ba0fae5c265a
- 3169171e671315e18949b2ff334db83f81a3962b8389253561c813f01974670b
- 430b9e91a0936978757eb8c493d06cbd2869f4e332ae00be0b759f2f229ca8ce
- 8904ce99827280e447cb19cf226f814b24b0b4eec18dd758e7fb93476b7bf8b8
- cd78f0f4869d986cf129a6c108264a3517dbcf16ecfc7c88ff3654a6c9be2bca
- d3e7b5be903eb9a596b9b2b78e5dd28390c6aadb8bdd4ea1ba3d896d99fa0057
- e87c338d926cc32c966fce2e968cf6a20c088dc6aedf0467224725ce36c9a525
IPv4
- 45.67.34.219
- 77.91.100.237
REFERENCES
- https://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving
- https://otx.alienvault.com/pulse/658c37500d4737e0ef37ec5c
TAGS
remote access trojan, bandook, appdata, c2 server, init function
No comments:
Post a Comment