44267.7472592593.dat

General
Target

44267.7472592593.dat.dll

Filesize

720KB

Completed

12-03-2021 17:58

Score
10 /10
MD5

2a4480ac07ecbe8d0671ec947c1b84c6

SHA1

0402ab7b5665b4d2edfc39091ecfe57e8b64bce5

SHA256

ff55279d5ef18ff4efb6cd662a7f94f4a5498ccaa2db27df946b6118a32a7c84

Malware Config

Extracted

Family qakbot
Botnet obama12
Campaign 1615566531
C2

81.214.126.173:2222

75.118.1.141:443

98.252.118.134:443

81.97.154.100:443

186.31.77.42:443

71.117.132.169:443

24.139.72.117:443

106.51.52.111:443

47.196.192.184:443

24.95.61.62:443

47.22.148.6:443

195.12.154.8:443

71.163.223.159:443

71.41.184.10:3389

193.248.221.184:2222

83.110.108.38:2222

92.59.35.196:2222

73.25.124.140:2222

75.67.192.125:443

83.196.56.65:2222

96.21.251.127:2222

176.205.222.30:2078

50.244.112.106:443

197.45.110.165:995

97.69.160.4:2222

216.201.162.158:443

172.78.30.215:443

105.198.236.99:443

77.27.204.204:995

24.117.107.120:443

75.136.40.155:443

140.82.49.12:443

86.175.79.249:443

189.210.115.207:443

105.198.236.101:443

77.211.30.202:995

184.189.122.72:443

24.50.118.93:443

108.29.32.251:443

71.197.126.250:443

151.205.102.42:443

70.168.130.172:995

68.186.192.69:443

71.199.192.62:443

95.77.223.148:443

71.187.170.235:443

24.43.22.218:993

90.65.236.181:2222

75.137.47.174:443

72.240.200.181:2222

Signatures 5

Filter: none

  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    41764724WerFault.exerundll32.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exe

    Reported IOCs

    pidprocess
    4176WerFault.exe
    4176WerFault.exe
    4176WerFault.exe
    4176WerFault.exe
    4176WerFault.exe
    4176WerFault.exe
    4176WerFault.exe
    4176WerFault.exe
    4176WerFault.exe
    4176WerFault.exe
    4176WerFault.exe
    4176WerFault.exe
    4176WerFault.exe
    4176WerFault.exe
    4176WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeRestorePrivilege4176WerFault.exe
    Token: SeBackupPrivilege4176WerFault.exe
    Token: SeDebugPrivilege4176WerFault.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4704 wrote to memory of 47244704rundll32.exerundll32.exe
    PID 4704 wrote to memory of 47244704rundll32.exerundll32.exe
    PID 4704 wrote to memory of 47244704rundll32.exerundll32.exe
Processes 3
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\44267.7472592593.dat.dll,#1
    Suspicious use of WriteProcessMemory
    PID:4704
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\44267.7472592593.dat.dll,#1
      PID:4724
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 764
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:4176
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/4176-6-0x0000000004780000-0x0000000004781000-memory.dmp

                          • memory/4724-2-0x0000000000000000-mapping.dmp

                          • memory/4724-3-0x0000000004E10000-0x0000000004E11000-memory.dmp

                          • memory/4724-4-0x0000000004FE0000-0x0000000005019000-memory.dmp

                          • memory/4724-5-0x0000000005060000-0x000000000509B000-memory.dmp