Overview

overview

10

Static

static

test.test.dll

windows7_x64

10

test.test.dll

windows10_x64

10

Resubmissions

11-10-2021 15:49

211011-s9gshshfbl 10

11-10-2021 14:07

211011-rfgd8ahdfq 10

Analysis

  • max time kernel
    1796s
  • max time network
    1800s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    11-10-2021 15:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.test.dll

  • Size

    820KB

  • MD5

    398b4b11bd10b155bead7267c48fc869

  • SHA1

    8c9338c72a4cbe4fe6929a2f16d506e171663a62

  • SHA256

    b6d65b22a0051227b29f30dd4833753925332ff3727e392ed6d2223b36f1cc1d

  • SHA512

    47fa82af74952ebc0424d087bfe7d3ba31713568f83b261e0d8ff75adee42458b471c79ac1172b25aa484f8b507f3ea90b55d51987df93540470e04a06c4a92f

Score
10/10
qakbottr1633597626bankerevasionstealertrojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1633597626

C2

120.150.218.241:995

185.250.148.74:443

89.137.52.44:443

66.103.170.104:2222

86.8.177.143:443

216.201.162.158:443

174.54.193.186:443

103.148.120.144:443

188.50.169.158:443

124.123.42.115:2222

140.82.49.12:443

199.27.127.129:443

81.241.252.59:2078

209.142.97.161:995

209.50.20.255:443

73.230.205.91:443

200.232.214.222:995

103.142.10.177:443

2.222.167.138:443

41.228.22.180:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\test.test.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\test.test.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:860
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:680
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn xmhhyeed /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\test.test.dll\"" /SC ONCE /Z /ST 15:51 /ET 16:03
          4⤵
          • Creates scheduled task(s)
          PID:540
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {E4DC42AD-4815-42FB-B3E4-1F826B2E5053} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\test.test.dll"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Windows\SysWOW64\regsvr32.exe
        -s "C:\Users\Admin\AppData\Local\Temp\test.test.dll"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1052
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:1716
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Tuxxzejueuu" /d "0"
            5⤵
              PID:1368
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Nryngceudyam" /d "0"
              5⤵
                PID:1828
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {EF0403EC-06BC-47B7-873B-7B3723897183} S-1-5-18:NT AUTHORITY\System:Service:
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1172
        • C:\Windows\system32\regsvr32.exe
          regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\test.test.dll"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1816
          • C:\Windows\SysWOW64\regsvr32.exe
            -s "C:\Users\Admin\AppData\Local\Temp\test.test.dll"
            3⤵
              PID:1492

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Disabling Security Tools

        1
        T1089

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\test.test.dll
          MD5

          398b4b11bd10b155bead7267c48fc869

          SHA1

          8c9338c72a4cbe4fe6929a2f16d506e171663a62

          SHA256

          b6d65b22a0051227b29f30dd4833753925332ff3727e392ed6d2223b36f1cc1d

          SHA512

          47fa82af74952ebc0424d087bfe7d3ba31713568f83b261e0d8ff75adee42458b471c79ac1172b25aa484f8b507f3ea90b55d51987df93540470e04a06c4a92f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\test.test.dll
          MD5

          0aa7f635b14a48dd6e4a770e5d5a43f8

          SHA1

          3f0c55fa62843de2631084b79309181bfef5f1e0

          SHA256

          f5a865d1d477d59c9996ed8771329fe546a5cfe62cb8f8f2bcdecb9f9ff85184

          SHA512

          aec7c13e64832cbfe792ab40c6275058c25c586d8a07a5618b40b0d198fe6aaf31558f1b272a1ecefdafde4392b600c7b3ca681fec27b7eac06abf1414f871fe

          Download Submit
        • \Users\Admin\AppData\Local\Temp\test.test.dll
          MD5

          398b4b11bd10b155bead7267c48fc869

          SHA1

          8c9338c72a4cbe4fe6929a2f16d506e171663a62

          SHA256

          b6d65b22a0051227b29f30dd4833753925332ff3727e392ed6d2223b36f1cc1d

          SHA512

          47fa82af74952ebc0424d087bfe7d3ba31713568f83b261e0d8ff75adee42458b471c79ac1172b25aa484f8b507f3ea90b55d51987df93540470e04a06c4a92f

          Download Submit
        • memory/540-63-0x0000000000000000-mapping.dmp
          Download
        • memory/680-62-0x0000000074831000-0x0000000074833000-memory.dmp
          Filesize

          8KB

          Download
        • memory/680-64-0x0000000000080000-0x00000000000A1000-memory.dmp
          Filesize

          132KB

          Download
        • memory/680-59-0x00000000000B0000-0x00000000000B2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/680-60-0x0000000000000000-mapping.dmp
          Download
        • memory/836-66-0x000007FEFBC91000-0x000007FEFBC93000-memory.dmp
          Filesize

          8KB

          Download
        • memory/836-65-0x0000000000000000-mapping.dmp
          Download
        • memory/860-58-0x00000000000C0000-0x00000000000C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/860-57-0x00000000749A0000-0x0000000074B11000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/860-53-0x0000000000000000-mapping.dmp
          Download
        • memory/860-56-0x00000000749A0000-0x00000000749C1000-memory.dmp
          Filesize

          132KB

          Download
        • memory/860-54-0x0000000076581000-0x0000000076583000-memory.dmp
          Filesize

          8KB

          Download
        • memory/860-55-0x00000000749A0000-0x0000000074B11000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1052-72-0x0000000073F20000-0x0000000073F41000-memory.dmp
          Filesize

          132KB

          Download
        • memory/1052-71-0x0000000073F20000-0x0000000074091000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1052-73-0x0000000073F20000-0x0000000074091000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1052-74-0x0000000000110000-0x0000000000111000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1052-68-0x0000000000000000-mapping.dmp
          Download
        • memory/1368-79-0x0000000000000000-mapping.dmp
          Download
        • memory/1492-85-0x0000000000000000-mapping.dmp
          Download
        • memory/1716-76-0x0000000000000000-mapping.dmp
          Download
        • memory/1716-81-0x0000000000080000-0x00000000000A1000-memory.dmp
          Filesize

          132KB

          Download
        • memory/1816-82-0x0000000000000000-mapping.dmp
          Download
        • memory/1828-80-0x0000000000000000-mapping.dmp
          Download