Analysis
-
max time kernel
129s -
max time network
63s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
20-05-2020 15:14
Static task
static1
Behavioral task
behavioral1
Sample
Darlehensvertrag_237886470423_19052020.vbs
Resource
win7v200430
General
-
Target
Darlehensvertrag_237886470423_19052020.vbs
-
Size
36.3MB
-
MD5
a6eb9d904fc5eddda76ad4f9cf678e03
-
SHA1
c370a3c9e108ae2452dfdedc91a2aa04634c7002
-
SHA256
dfacae17a54e54e9b25d77399619859ed6b196318bd06341c22c7a8b4a090254
-
SHA512
c00ac4ecaf2623ac4eb4d47191b3b0608d80bd3da552310652a2ccbc306b408f8c0d6d9e3f35208e2ad93b0c7a872ff8c055db7f2a3ecbb259ae639b55d780fb
Malware Config
Extracted
qakbot
spx123
1589977350
71.77.252.14:2222
174.130.225.61:443
76.187.97.98:2222
187.19.151.218:995
82.127.193.151:2222
72.204.242.138:993
72.204.242.138:993
66.208.105.6:443
24.183.39.93:443
98.243.187.85:443
68.49.120.179:443
72.204.242.138:995
72.29.181.77:2078
72.204.242.138:443
24.136.33.120:2222
96.56.237.174:990
107.2.148.99:443
216.201.162.158:443
71.213.29.14:995
84.247.55.190:443
86.124.2.219:443
189.236.29.119:443
199.116.241.147:443
79.115.20.123:443
67.170.137.8:443
200.113.201.83:993
100.12.173.247:995
82.210.157.185:443
79.78.131.124:443
186.94.179.27:2078
102.41.121.242:995
24.202.42.48:2222
208.93.202.49:443
72.16.212.108:465
98.118.156.172:443
31.125.140.150:2222
5.36.67.194:443
108.30.125.94:443
190.130.235.79:443
151.205.102.42:443
68.39.160.40:443
68.204.164.222:443
108.54.205.207:443
47.203.89.185:443
79.114.195.15:443
174.34.67.106:2222
73.214.231.2:443
96.18.240.158:443
156.222.43.142:995
178.27.203.107:443
116.202.36.62:21
173.173.68.41:443
47.136.224.60:443
80.184.100.90:443
100.40.48.96:443
71.56.53.127:443
68.4.137.211:443
92.17.167.87:2222
188.27.64.124:443
96.23.62.35:2222
46.102.65.66:443
185.145.113.249:443
181.140.208.0:443
66.57.216.53:993
197.210.96.222:995
46.102.52.45:443
72.240.245.253:443
59.98.97.3:443
140.82.21.191:443
72.132.249.144:995
86.97.85.36:443
86.124.215.242:21
5.14.251.226:443
148.75.231.53:443
75.110.250.89:443
47.232.26.181:443
47.180.66.10:443
71.8.33.238:443
24.188.48.139:443
117.241.53.134:443
41.96.159.95:443
100.38.123.22:443
5.182.39.156:443
207.255.161.8:2222
85.204.189.105:443
81.245.66.237:995
79.101.206.85:995
86.166.85.205:2222
68.174.15.223:443
173.245.152.231:443
137.103.143.124:443
73.23.194.75:443
81.196.29.4:2222
184.164.160.157:995
82.76.171.120:443
46.214.62.199:443
98.121.187.78:443
76.117.227.153:443
189.159.144.227:995
81.133.234.36:2222
117.216.184.78:443
79.116.237.126:443
187.155.61.44:443
31.5.189.71:443
72.204.242.138:443
72.204.242.138:2078
72.204.242.138:990
47.153.115.154:443
207.255.161.8:995
207.255.161.8:2078
50.244.112.10:443
66.76.255.133:2078
72.204.242.138:20
77.159.149.74:443
65.116.179.83:443
96.35.170.82:2222
72.204.242.138:2087
71.193.126.206:443
142.129.227.86:443
72.204.242.138:53
207.255.161.8:2087
84.117.60.157:443
24.96.22.21:443
207.255.161.8:32102
108.58.9.238:995
173.175.29.210:443
1.40.42.4:443
74.33.69.208:443
70.183.127.6:995
66.222.88.126:995
115.134.147.27:443
47.152.210.233:443
172.242.156.50:443
65.24.76.114:443
78.96.245.58:443
70.124.29.226:443
86.124.228.119:443
24.43.22.220:993
188.173.214.88:443
24.231.54.185:2222
64.121.114.87:443
184.21.151.81:995
209.182.121.133:2222
203.213.104.25:995
72.183.129.56:443
68.98.142.248:995
86.3.137.90:443
107.5.252.194:443
94.52.160.116:443
188.173.185.139:443
Signatures
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Blacklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 4 272 WScript.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
WScript.exePicturesViewer.exeppajeu.exedescription pid process target process PID 272 wrote to memory of 268 272 WScript.exe PicturesViewer.exe PID 272 wrote to memory of 268 272 WScript.exe PicturesViewer.exe PID 272 wrote to memory of 268 272 WScript.exe PicturesViewer.exe PID 272 wrote to memory of 268 272 WScript.exe PicturesViewer.exe PID 268 wrote to memory of 1196 268 PicturesViewer.exe PicturesViewer.exe PID 268 wrote to memory of 1196 268 PicturesViewer.exe PicturesViewer.exe PID 268 wrote to memory of 1196 268 PicturesViewer.exe PicturesViewer.exe PID 268 wrote to memory of 1196 268 PicturesViewer.exe PicturesViewer.exe PID 268 wrote to memory of 1140 268 PicturesViewer.exe ppajeu.exe PID 268 wrote to memory of 1140 268 PicturesViewer.exe ppajeu.exe PID 268 wrote to memory of 1140 268 PicturesViewer.exe ppajeu.exe PID 268 wrote to memory of 1140 268 PicturesViewer.exe ppajeu.exe PID 268 wrote to memory of 608 268 PicturesViewer.exe schtasks.exe PID 268 wrote to memory of 608 268 PicturesViewer.exe schtasks.exe PID 268 wrote to memory of 608 268 PicturesViewer.exe schtasks.exe PID 268 wrote to memory of 608 268 PicturesViewer.exe schtasks.exe PID 1140 wrote to memory of 1600 1140 ppajeu.exe ppajeu.exe PID 1140 wrote to memory of 1600 1140 ppajeu.exe ppajeu.exe PID 1140 wrote to memory of 1600 1140 ppajeu.exe ppajeu.exe PID 1140 wrote to memory of 1600 1140 ppajeu.exe ppajeu.exe PID 1140 wrote to memory of 1644 1140 ppajeu.exe explorer.exe PID 1140 wrote to memory of 1644 1140 ppajeu.exe explorer.exe PID 1140 wrote to memory of 1644 1140 ppajeu.exe explorer.exe PID 1140 wrote to memory of 1644 1140 ppajeu.exe explorer.exe PID 1140 wrote to memory of 1644 1140 ppajeu.exe explorer.exe -
Executes dropped EXE 4 IoCs
Processes:
PicturesViewer.exePicturesViewer.exeppajeu.exeppajeu.exepid process 268 PicturesViewer.exe 1196 PicturesViewer.exe 1140 ppajeu.exe 1600 ppajeu.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
PicturesViewer.exePicturesViewer.exeppajeu.exeppajeu.exeexplorer.exepid process 268 PicturesViewer.exe 1196 PicturesViewer.exe 1196 PicturesViewer.exe 1140 ppajeu.exe 1600 ppajeu.exe 1600 ppajeu.exe 1644 explorer.exe 1644 explorer.exe -
Loads dropped DLL 3 IoCs
Processes:
PicturesViewer.exepid process 268 PicturesViewer.exe 268 PicturesViewer.exe 268 PicturesViewer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ppajeu.exepid process 1140 ppajeu.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Darlehensvertrag_237886470423_19052020.vbs"1⤵
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exeC:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
PID:268 -
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exeC:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /C3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1196 -
C:\Users\Admin\AppData\Roaming\Microsoft\Zzexu\ppajeu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Zzexu\ppajeu.exe3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1140 -
C:\Users\Admin\AppData\Roaming\Microsoft\Zzexu\ppajeu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Zzexu\ppajeu.exe /C4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1600 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1644 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dbfwkuui /tr "\"C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe\" /I dbfwkuui" /SC ONCE /Z /ST 17:18 /ET 17:303⤵
- Creates scheduled task(s)
PID:608