Overview

overview

10

Static

static

8c4b601938...23.dll

windows7_x64

10

8c4b601938...23.dll

windows10_x64

10

Analysis

  • max time kernel
    128s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    04-12-2020 18:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c4b601938850ae85f6faea32989b6d4cb28cbc9b7711ef0a32a05442003b023.dll

  • Size

    249KB

  • MD5

    bf8e148474128895d41dfd384578c648

  • SHA1

    dd87608e706f9d99fe75937723ecea5460fb1afb

  • SHA256

    8c4b601938850ae85f6faea32989b6d4cb28cbc9b7711ef0a32a05442003b023

  • SHA512

    cd6f8831622faec9720b7588d6827ac33e2914210396138e23bf4e8ce5ff93b100a7fd29e7118abe45dee5583840fbc408f1c80a350b9e3803f164195c20438e

Score
10/10
qakbottr021606748059bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

tr02

Campaign

1606748059

C2

197.45.110.165:995

86.99.134.235:2222

174.76.21.134:443

208.99.100.129:443

86.126.198.195:443

185.105.131.233:443

85.132.36.111:2222

105.198.236.101:443

2.49.219.254:22

217.165.2.92:995

67.6.54.180:443

5.193.115.251:2222

83.196.50.197:2222

89.3.198.238:443

94.141.3.242:443

73.239.229.107:995

217.165.15.245:2222

68.225.60.77:995

85.121.42.12:443

99.240.226.2:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Loads dropped DLL 1 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 10 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8c4b601938850ae85f6faea32989b6d4cb28cbc9b7711ef0a32a05442003b023.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\8c4b601938850ae85f6faea32989b6d4cb28cbc9b7711ef0a32a05442003b023.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1340
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn fyowmrkv /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\8c4b601938850ae85f6faea32989b6d4cb28cbc9b7711ef0a32a05442003b023.dll\"" /SC ONCE /Z /ST 18:43 /ET 18:55
          4⤵
          • Creates scheduled task(s)
          PID:1576
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 436
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1504
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {B20F844D-E078-462D-9AE7-DAF46E4027A9} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1148
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\8c4b601938850ae85f6faea32989b6d4cb28cbc9b7711ef0a32a05442003b023.dll"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Windows\SysWOW64\regsvr32.exe
        -s "C:\Users\Admin\AppData\Local\Temp\8c4b601938850ae85f6faea32989b6d4cb28cbc9b7711ef0a32a05442003b023.dll"
        3⤵
        • Loads dropped DLL
        PID:576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\8c4b601938850ae85f6faea32989b6d4cb28cbc9b7711ef0a32a05442003b023.dll
    MD5

    e22997f0b8b9b7716c04d5d7eeec3489

    SHA1

    7855c8375bf78ea1f46e0d482d27e823df5b7332

    SHA256

    82248e3adf66f205b5c02ad12adcb4ad85d85499e0e8685ddbc40e79c538ab16

    SHA512

    ed1f305878ef0fb3e17118d9660e893716213adac94e9db83f00c2b73a0bd1259fb21cb425fcf1ce3b5e62c2eb85244444c65139ea313e5ffd9130416c98dace

    Download Submit
  • \Users\Admin\AppData\Local\Temp\8c4b601938850ae85f6faea32989b6d4cb28cbc9b7711ef0a32a05442003b023.dll
    MD5

    e22997f0b8b9b7716c04d5d7eeec3489

    SHA1

    7855c8375bf78ea1f46e0d482d27e823df5b7332

    SHA256

    82248e3adf66f205b5c02ad12adcb4ad85d85499e0e8685ddbc40e79c538ab16

    SHA512

    ed1f305878ef0fb3e17118d9660e893716213adac94e9db83f00c2b73a0bd1259fb21cb425fcf1ce3b5e62c2eb85244444c65139ea313e5ffd9130416c98dace

    Download Submit
  • memory/576-16-0x0000000000000000-mapping.dmp
    Download
  • memory/848-14-0x0000000000000000-mapping.dmp
    Download
  • memory/1340-13-0x0000000000080000-0x00000000000A0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1340-3-0x00000000000A0000-0x00000000000A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1340-5-0x0000000000000000-mapping.dmp
    Download
  • memory/1504-6-0x0000000000000000-mapping.dmp
    Download
  • memory/1504-11-0x0000000002730000-0x0000000002741000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1504-7-0x0000000001FD0000-0x0000000001FE1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1576-12-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-10-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-9-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-8-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-2-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-4-0x00000000005C0000-0x00000000005E0000-memory.dmp
    Filesize

    128KB

    Download