Analysis
-
max time kernel
15s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-04-2021 21:42
Static task
static1
Behavioral task
behavioral1
Sample
80cfabe6a394c7737a22d5ea72c604fb65fb6b66e979e848d07507343fbdb705.dll
Resource
win7v20210410
General
-
Target
80cfabe6a394c7737a22d5ea72c604fb65fb6b66e979e848d07507343fbdb705.dll
-
Size
1.4MB
-
MD5
6bddbc2adb3ba1c00f82a27bf6a1a984
-
SHA1
06a5ac5269665d1a9faa1f1ef726a1a3a5d1529f
-
SHA256
80cfabe6a394c7737a22d5ea72c604fb65fb6b66e979e848d07507343fbdb705
-
SHA512
9173bdba5169c80ba24bac4190295412fb38ad65f483a44b85168bc0b9f8918280bdde62293a55602befc729ea3fa0758a48b4fcd2433389700a4e9b99b61e79
Malware Config
Extracted
qakbot
clinton01
1618240616
193.248.221.184:2222
96.61.23.88:995
75.67.192.125:443
78.63.226.32:443
186.28.181.226:443
45.46.53.140:2222
190.85.91.154:443
105.198.236.101:443
136.232.34.70:443
140.82.49.12:443
197.45.110.165:995
216.201.162.158:443
189.210.115.207:443
149.28.101.90:2222
45.63.107.192:2222
45.32.211.207:443
45.32.211.207:995
45.32.211.207:8443
45.32.211.207:2222
149.28.98.196:443
149.28.101.90:8443
207.246.77.75:2222
207.246.116.237:995
207.246.116.237:2222
45.77.117.108:995
149.28.99.97:443
149.28.99.97:995
149.28.98.196:2222
149.28.98.196:995
144.202.38.185:2222
144.202.38.185:443
149.28.101.90:443
149.28.101.90:995
45.77.115.208:995
45.77.115.208:2222
45.77.115.208:8443
207.246.77.75:443
207.246.77.75:995
207.246.77.75:8443
207.246.116.237:443
207.246.116.237:8443
45.77.117.108:443
45.77.117.108:2222
45.77.117.108:8443
45.63.107.192:443
144.202.38.185:995
45.77.115.208:443
151.205.102.42:443
97.69.160.4:2222
72.240.200.181:2222
90.65.236.181:2222
50.244.112.106:443
75.137.47.174:443
71.41.184.10:3389
47.22.148.6:443
73.25.124.140:2222
24.152.219.253:995
86.190.41.156:443
47.196.192.184:443
105.198.236.99:443
24.139.72.117:443
24.229.150.54:995
24.55.112.61:443
81.97.154.100:443
24.117.107.120:443
71.187.170.235:443
75.118.1.141:443
71.74.12.34:443
45.63.107.192:995
188.26.91.212:443
27.223.92.142:995
115.133.243.6:443
149.28.99.97:2222
173.21.10.71:2222
50.29.166.232:995
109.12.111.14:443
76.25.142.196:443
95.77.223.148:443
71.197.126.250:443
67.165.206.193:993
94.59.106.186:2078
83.110.109.164:2222
108.14.4.202:443
98.252.118.134:443
24.43.22.221:993
71.163.222.243:443
64.121.114.87:443
72.252.201.69:443
98.192.185.86:443
86.220.62.251:2222
144.139.47.206:443
96.37.113.36:993
222.153.174.162:995
24.226.156.153:443
172.78.56.208:443
67.8.103.21:443
77.27.207.217:995
24.95.61.62:443
77.211.30.202:995
92.59.35.196:2222
106.51.52.111:995
184.189.122.72:443
195.12.154.8:443
68.186.192.69:443
75.136.40.155:443
71.117.132.169:443
96.21.251.127:2222
71.199.192.62:443
70.168.130.172:995
83.196.56.65:2222
81.214.126.173:2222
82.12.157.95:995
209.210.187.52:995
209.210.187.52:443
67.6.12.4:443
189.222.59.177:443
174.104.22.30:443
142.117.191.18:2222
189.146.183.105:443
213.60.147.140:443
196.221.207.137:995
108.46.145.30:443
187.250.238.164:995
2.7.116.188:2222
195.43.173.70:443
106.250.150.98:443
45.67.231.247:443
83.110.103.152:443
83.110.9.71:2222
78.97.207.104:443
59.90.246.200:443
80.227.5.69:443
125.63.101.62:443
86.236.77.68:2222
109.106.69.138:2222
84.72.35.226:443
217.133.54.140:32100
197.161.154.132:443
89.137.211.239:995
74.222.204.82:995
122.148.156.131:995
156.223.110.23:443
144.139.166.18:443
202.185.166.181:443
76.94.200.148:995
71.63.120.101:443
196.151.252.84:443
202.188.138.162:443
74.68.144.202:443
69.58.147.82:2078
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3616 2300 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
rundll32.exeWerFault.exepid process 2300 rundll32.exe 2300 rundll32.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3616 WerFault.exe Token: SeBackupPrivilege 3616 WerFault.exe Token: SeDebugPrivilege 3616 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3680 wrote to memory of 2300 3680 rundll32.exe rundll32.exe PID 3680 wrote to memory of 2300 3680 rundll32.exe rundll32.exe PID 3680 wrote to memory of 2300 3680 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\80cfabe6a394c7737a22d5ea72c604fb65fb6b66e979e848d07507343fbdb705.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\80cfabe6a394c7737a22d5ea72c604fb65fb6b66e979e848d07507343fbdb705.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
PID:2300 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 8003⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
-