Overview

overview

10

Static

static

1312.gif.dll

windows7_x64

10

1312.gif.dll

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    07-05-2021 06:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1312.gif.dll

  • Size

    2.0MB

  • MD5

    ec11ad0b0b09671b0e1d33a0426fc545

  • SHA1

    f3527e4bbb1f3ea8db2365824c41cd0fac0bdf44

  • SHA256

    caf0413ce43dd36aad32438727ff41ae1b9cd3243e240a21474e606572e35712

  • SHA512

    7953df254175a8db3a16ca079bb770845bb931701ae7ff77274a2d45e26deb5e5456ecbc4053a02d65cc5b806e1442b3395075473efeb583affbeeae20e4463a

Score
10/10
qakbottr021607955641bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

401.78

Botnet

tr02

Campaign

1607955641

C2

120.151.95.167:443

47.44.217.98:443

32.212.117.188:443

184.97.145.239:443

86.121.3.80:443

83.110.97.149:443

83.194.193.247:2222

105.198.236.101:443

35.134.202.234:443

189.62.175.92:22

2.89.122.157:443

78.97.207.104:443

208.93.202.41:443

45.118.216.157:443

5.204.148.208:995

5.15.226.81:443

66.26.160.37:443

84.78.128.76:2222

80.106.85.24:2222

108.31.15.10:995

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Loads dropped DLL 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1312.gif.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\1312.gif.dll,#1
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:204
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn enkejhjs /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\1312.gif.dll\"" /SC ONCE /Z /ST 08:09 /ET 08:21
          4⤵
          • Creates scheduled task(s)
          PID:4044
  • \??\c:\windows\system32\regsvr32.exe
    regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\1312.gif.dll"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\SysWOW64\regsvr32.exe
      -s "C:\Users\Admin\AppData\Local\Temp\1312.gif.dll"
      2⤵
      • Loads dropped DLL
      PID:3552
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 596
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1312.gif.dll
    MD5

    7fa71d3adffd18c2f7038dbeaef014b3

    SHA1

    af502b52ecb72f48fe5ef1119607ea4f422be242

    SHA256

    c468670d8b78a054cd22e4aac5853e91383d35a7472f64d46898b4236f88e937

    SHA512

    a2572720d657e868d1abb652f0d2cbc0569f55f9ff8fbb47ac9655179d01e425aa69ee82ebbb81935efc8ebe77c4bec43019542d87743d002c4ef6688e948694

    Download Submit
  • \Users\Admin\AppData\Local\Temp\1312.gif.dll
    MD5

    7fa71d3adffd18c2f7038dbeaef014b3

    SHA1

    af502b52ecb72f48fe5ef1119607ea4f422be242

    SHA256

    c468670d8b78a054cd22e4aac5853e91383d35a7472f64d46898b4236f88e937

    SHA512

    a2572720d657e868d1abb652f0d2cbc0569f55f9ff8fbb47ac9655179d01e425aa69ee82ebbb81935efc8ebe77c4bec43019542d87743d002c4ef6688e948694

    Download Submit
  • memory/204-117-0x0000000000000000-mapping.dmp
    Download
  • memory/204-121-0x0000000000720000-0x0000000000741000-memory.dmp
    Filesize

    132KB

    Download
  • memory/1184-114-0x0000000000000000-mapping.dmp
    Download
  • memory/1184-115-0x0000000004720000-0x000000000490A000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1184-116-0x0000000010000000-0x0000000010214000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3552-123-0x0000000000000000-mapping.dmp
    Download
  • memory/4044-118-0x0000000000000000-mapping.dmp
    Download