Overview

overview

10

Static

static

ocrafh.html.dll

windows7_x64

10

ocrafh.html.dll

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    114s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    12-10-2021 13:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ocrafh.html.dll

  • Size

    819KB

  • MD5

    2897721785645ad5b2a8fb524ed650c0

  • SHA1

    d836fa75f0682b4c393418231aefca97169d551e

  • SHA256

    956ecb4afa437eafe56f958b34b6a78303ad626baee004715dc6634b7546bf85

  • SHA512

    f40e3cd7ab855c3d5513efb0c84b831a538226a8baa7d743368989dcb5461b3d0ef7dd5cdd9a538a48835aebe60044e9bfdc063e5fb19cce7fecabe213c2786a

Score
10/10
qakbottr1633597626bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1633597626

C2

120.150.218.241:995

185.250.148.74:443

89.137.52.44:443

66.103.170.104:2222

86.8.177.143:443

216.201.162.158:443

174.54.193.186:443

103.148.120.144:443

188.50.169.158:443

124.123.42.115:2222

140.82.49.12:443

199.27.127.129:443

81.241.252.59:2078

209.142.97.161:995

209.50.20.255:443

73.230.205.91:443

200.232.214.222:995

103.142.10.177:443

2.222.167.138:443

41.228.22.180:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Loads dropped DLL 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ocrafh.html.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:532
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ocrafh.html.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3156
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn aernstdhol /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\ocrafh.html.dll\"" /SC ONCE /Z /ST 20:24 /ET 20:36
          4⤵
          • Creates scheduled task(s)
          PID:3600
  • \??\c:\windows\system32\regsvr32.exe
    regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\ocrafh.html.dll"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\regsvr32.exe
      -s "C:\Users\Admin\AppData\Local\Temp\ocrafh.html.dll"
      2⤵
      • Loads dropped DLL
      PID:2124

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3016-123-0x0000000000160000-0x0000000000161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3016-120-0x0000000000960000-0x0000000000981000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3016-122-0x0000000000160000-0x0000000000161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3156-118-0x00000000034F0000-0x00000000034F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3156-116-0x0000000074240000-0x0000000074261000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3156-117-0x0000000074240000-0x00000000743B1000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3156-115-0x0000000074240000-0x00000000743B1000-memory.dmp

    Filesize

    1.4MB

    Download