Overview

overview

10

Static

static

qjnndpxjfqujk.dll

windows7_x64

10

qjnndpxjfqujk.dll

windows11_x64

10

qjnndpxjfqujk.dll

windows10_x64

10

Resubmissions

28-09-2021 20:53

210928-zpnhwsdber 10

27-09-2021 12:01

210927-n666saggg2 10

Analysis

  • max time kernel
    899s
  • max time network
    1604s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    28-09-2021 20:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    qjnndpxjfqujk.dll

  • Size

    489KB

  • MD5

    2c7fe65874005a9f4d3e455ad1a8547b

  • SHA1

    e5c78ee1be97d61ea6acff4e3d433577b2fab96c

  • SHA256

    46be6fc385ff5dbeb439bf46ec27f868034f499a49524120a7692a1170469c91

  • SHA512

    ac8b0cc51c9f54401de36c3101c245d678c85c3d04f2356bf7403f3fc511a356d11f66df6fd76d9f7f5e73a7c95c1f1e13298a7cd07383c2fed675d611970207

Score
10/10
qakbotnotset1632476965bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

notset

Campaign

1632476965

C2

136.232.34.70:443

216.201.162.158:443

92.59.35.196:2222

105.198.236.99:443

185.250.148.74:443

73.77.87.137:443

196.218.227.241:995

103.148.120.144:443

120.150.218.241:995

47.22.148.6:443

140.82.49.12:443

71.74.12.34:443

27.223.92.142:995

76.25.142.196:443

95.77.223.148:443

75.188.35.168:443

96.37.113.36:993

173.21.10.71:2222

45.46.53.140:2222

73.151.236.31:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\qjnndpxjfqujk.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\qjnndpxjfqujk.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4684
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 572
        3⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4764
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4684 -ip 4684
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:4912
  • C:\Windows\System32\sihclient.exe
    C:\Windows\System32\sihclient.exe /cv pVzHgpXms02TJxnTGiup5w.0.2
    1⤵
    • Modifies data under HKEY_USERS
    PID:5004
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    1⤵
    • Modifies data under HKEY_USERS
    PID:4620
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
    1⤵
      PID:4124

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4620-155-0x0000016454990000-0x0000016454994000-memory.dmp
      Filesize

      16KB

      Download
    • memory/4620-150-0x0000016451980000-0x0000016451990000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4620-151-0x0000016452360000-0x0000016452370000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4620-152-0x0000016454960000-0x0000016454964000-memory.dmp
      Filesize

      16KB

      Download
    • memory/4620-153-0x0000016454C50000-0x0000016454C54000-memory.dmp
      Filesize

      16KB

      Download
    • memory/4620-154-0x0000016454C10000-0x0000016454C11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4620-156-0x0000016454980000-0x0000016454981000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4620-157-0x0000016454980000-0x0000016454984000-memory.dmp
      Filesize

      16KB

      Download
    • memory/4620-158-0x0000016454860000-0x0000016454861000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4684-147-0x0000000003390000-0x0000000003391000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4684-148-0x0000000003420000-0x0000000003440000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4684-149-0x0000000004E10000-0x0000000004E31000-memory.dmp
      Filesize

      132KB

      Download
    • memory/4684-146-0x0000000000000000-mapping.dmp
      Download