Analysis
-
max time kernel
136s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
01-03-2021 14:31
General
-
Target
IEUDLK.CJF.dll
-
Size
349KB
-
MD5
cd6461213b090d7c4eed79431d4a684f
-
SHA1
bda16ee8758cea58d83cf2b34efaf0fab6fc42a3
-
SHA256
e89ce5206b133790f9313989ebfbbd2eee1e4d9cee7c1dcfc1d0f895cda8662f
-
SHA512
81c8ee342401ea4b1eaa945f8557ecb95f81f91220dd8f110b510db2da7632aa3636a2fd72d3d1a70f213277070627ab8b0e624796b8ec0cc7aa2949fd31b7db
Malware Config
Extracted
qakbot
tr
1614598087
24.95.61.62:443
89.3.198.238:443
196.151.252.84:443
90.65.236.181:2222
2.232.253.79:995
217.133.54.140:32100
195.43.173.70:443
84.247.55.190:8443
136.232.34.70:443
45.63.107.192:443
45.77.115.208:443
149.28.98.196:995
45.32.211.207:8443
149.28.98.196:443
149.28.99.97:443
45.63.107.192:2222
207.246.77.75:443
207.246.77.75:8443
45.77.117.108:443
45.32.211.207:995
Signatures
-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Loads dropped DLL 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\IEUDLK.CJF.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\IEUDLK.CJF.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn qwqttdvm /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\IEUDLK.CJF.dll\"" /SC ONCE /Z /ST 14:29 /ET 14:414⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {7713832F-0D71-47F5-9408-D2E9A7BD1806} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\IEUDLK.CJF.dll"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\IEUDLK.CJF.dll"3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IEUDLK.CJF.dllMD5
a48a5b29ae8c4960912f2d0d8649e816
SHA12f0435e2b647a85b5287f25f2e44e343b63c25df
SHA25645d55a4d11c654c7dacad8445b0ad2be33de165a68e9ecaffdec020a5615875c
SHA5128ab6791d96683b323f8f1df5f3b64f838af1a546e6963288aa0eb9f05c1c30ef2364765cbf210550a1d2eb25158f2c874a23c9bbf232a90375cfd5d24ab4c8fe
-
\Users\Admin\AppData\Local\Temp\IEUDLK.CJF.dllMD5
a48a5b29ae8c4960912f2d0d8649e816
SHA12f0435e2b647a85b5287f25f2e44e343b63c25df
SHA25645d55a4d11c654c7dacad8445b0ad2be33de165a68e9ecaffdec020a5615875c
SHA5128ab6791d96683b323f8f1df5f3b64f838af1a546e6963288aa0eb9f05c1c30ef2364765cbf210550a1d2eb25158f2c874a23c9bbf232a90375cfd5d24ab4c8fe
-
memory/536-9-0x00000000000F0000-0x0000000000125000-memory.dmpFilesize
212KB
-
memory/536-11-0x00000000000F0000-0x0000000000125000-memory.dmpFilesize
212KB
-
memory/536-6-0x0000000000000000-mapping.dmp
-
memory/536-8-0x0000000074421000-0x0000000074423000-memory.dmpFilesize
8KB
-
memory/1048-12-0x0000000000000000-mapping.dmp
-
memory/1048-13-0x000007FEFBA71000-0x000007FEFBA73000-memory.dmpFilesize
8KB
-
memory/1200-10-0x0000000000000000-mapping.dmp
-
memory/1780-15-0x0000000000000000-mapping.dmp
-
memory/2024-5-0x0000000010000000-0x0000000018255000-memory.dmpFilesize
130.3MB
-
memory/2024-0-0x0000000000000000-mapping.dmp
-
memory/2024-4-0x00000000021C0000-0x000000000A415000-memory.dmpFilesize
130.3MB
-
memory/2024-3-0x0000000075781000-0x0000000075783000-memory.dmpFilesize
8KB