Static task
static1
Behavioral task
behavioral1
Sample
0944f12d7f4a22a32861cc3e102aff14e3105e91f99d16e32efca811417c3bab.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0944f12d7f4a22a32861cc3e102aff14e3105e91f99d16e32efca811417c3bab.dll
Resource
win10v2004-en-20220112
General
-
Target
0944f12d7f4a22a32861cc3e102aff14e3105e91f99d16e32efca811417c3bab
-
Size
196KB
-
MD5
67ef55c53b9db71ee0288367fc7a226f
-
SHA1
1686e2acce550535c389084adc3e37e2e3936d97
-
SHA256
0944f12d7f4a22a32861cc3e102aff14e3105e91f99d16e32efca811417c3bab
-
SHA512
472907cc5fa25ac8ab1ca3ed2a80985aa616f988502c0efb20b32f1fd41bb417508d77f82afc56e465621727d96de2629b7d1680e31b0204b7db3d8c450a268a
-
SSDEEP
3072:nS/eQ/eI4ZSKpEosvuTWH36rFxkslaL0Z7TOnBm8ZwFWOTBf6tj/QABsxks9hh:naD/RZXHqPu0NTm/CFWOTBCtjxsxksl
Malware Config
Extracted
qakbot
325.42
tr01
1597139892
74.129.24.163:443
78.100.192.173:443
90.68.84.121:2222
144.202.48.107:443
45.77.215.141:443
5.13.189.91:443
73.228.1.246:443
70.126.76.75:443
92.59.35.196:2222
5.13.102.138:995
47.44.217.98:443
98.26.50.62:995
65.131.38.205:995
67.209.195.198:443
118.160.163.65:443
200.75.136.78:443
117.218.208.239:443
102.190.213.116:443
100.37.36.240:443
77.27.173.8:995
203.198.96.59:443
75.137.239.211:443
213.120.109.73:2222
76.170.77.99:995
96.255.188.58:443
72.183.129.56:443
98.173.34.212:995
73.140.88.255:443
47.153.115.154:465
76.187.12.181:443
37.106.112.141:443
31.5.21.66:443
86.98.70.252:995
68.190.152.98:443
67.165.206.193:993
2.50.58.159:443
75.183.171.155:995
98.190.24.81:443
86.98.89.9:2222
68.14.210.246:22
93.151.180.170:61202
47.206.174.82:443
66.215.32.224:443
217.165.164.57:2222
24.44.142.213:2222
72.82.15.220:443
96.227.127.13:443
86.126.218.134:443
95.221.48.169:2222
197.165.161.55:995
72.190.101.70:443
207.255.18.67:443
176.205.255.97:443
2.89.74.34:995
96.37.113.36:993
5.193.178.241:2078
98.219.77.197:443
24.28.183.107:995
75.110.250.89:995
47.28.131.209:443
66.30.92.147:443
188.51.3.210:995
71.126.139.251:443
217.165.112.13:995
98.4.227.199:443
94.59.241.189:995
199.247.16.80:443
72.179.240.214:0
80.240.26.178:443
68.225.56.31:443
2.89.74.34:21
85.186.233.237:443
66.222.88.126:995
217.165.110.181:443
197.210.96.222:995
39.36.132.214:995
101.108.13.129:443
209.182.122.217:443
95.76.185.240:443
178.193.38.188:2222
72.66.47.70:443
75.136.40.155:443
182.185.103.245:995
83.110.6.64:2222
211.24.72.253:443
94.59.241.189:2222
103.206.112.234:443
24.139.132.70:443
151.73.127.65:443
193.248.44.2:2222
217.162.149.212:443
76.111.128.194:443
59.96.167.53:443
207.255.161.8:993
71.10.43.79:443
47.153.115.154:995
203.106.195.67:443
31.5.116.167:443
103.76.160.110:443
50.244.112.10:995
41.228.203.182:443
109.154.214.242:2222
24.201.79.208:2078
117.215.193.31:443
78.100.229.44:61201
96.20.108.17:2222
68.174.15.223:443
173.173.72.199:443
115.21.224.117:443
70.95.118.217:443
24.116.227.63:443
70.164.39.91:443
24.234.86.201:995
5.15.65.198:2222
47.138.204.170:443
24.122.228.88:443
100.4.173.223:443
149.71.49.39:443
185.19.190.81:443
95.77.223.148:443
67.170.137.8:443
134.0.196.46:995
71.163.224.206:443
24.37.178.158:443
98.121.187.78:443
81.133.234.36:2222
121.164.25.197:443
190.31.192.87:443
103.238.231.40:443
68.204.164.222:443
46.248.46.136:995
185.246.9.69:995
35.134.202.234:443
174.82.131.155:995
189.130.26.216:443
172.78.30.215:443
200.124.231.21:443
2.7.65.32:2222
47.146.32.175:443
35.209.218.146:443
12.5.37.3:995
45.32.155.12:443
144.139.47.206:443
165.228.200.94:443
41.36.55.195:995
83.103.177.143:443
24.46.40.189:2222
216.201.162.158:443
45.32.154.10:443
79.117.219.5:21
Signatures
-
Qakbot family
Files
-
0944f12d7f4a22a32861cc3e102aff14e3105e91f99d16e32efca811417c3bab.dll windows x86
1b2f762581c29a6319f5f951fa133f6f
Code Sign
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
msvcrt
_wcsicmp
_HUGE
localeconv
malloc
free
qsort
_time64
memcpy
memmove
strncpy
memset
strncmp
_vsnwprintf
_vsnprintf
atol
strchr
_snprintf
_strtoi64
_errno
memchr
strtod
psapi
GetModuleFileNameExW
ws2_32
connect
getsockname
send
ntohs
gethostbyname
setsockopt
select
WSAGetLastError
recv
socket
__WSAFDIsSet
closesocket
inet_addr
WSAStartup
inet_ntoa
ioctlsocket
htons
gethostbyaddr
shell32
SHGetFolderPathW
shlwapi
StrStrIW
StrCmpNA
ole32
CoSetProxyBlanket
CoInitializeEx
CoTaskMemFree
CoInitialize
CoInitializeSecurity
CoUninitialize
CoCreateInstance
kernel32
Process32NextW
SwitchToThread
lstrcmpA
GetCurrentProcess
SleepEx
GetCurrentThread
TerminateThread
Sleep
GetExitCodeThread
CreateMutexA
DuplicateHandle
lstrlenA
lstrcatA
lstrcpyA
TerminateProcess
ResumeThread
lstrcatW
lstrcpynW
lstrlenW
lstrcmpiW
ConnectNamedPipe
ReadFile
DisconnectNamedPipe
GetLastError
CreateNamedPipeA
ExitProcess
WaitForSingleObject
CreateEventA
GetProcessId
CloseHandle
GetEnvironmentVariableW
SetEnvironmentVariableW
SetThreadPriority
GetCurrentThreadId
GetCurrentProcessId
CreateFileW
CreateThread
CreateDirectoryW
MoveFileW
GetComputerNameW
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
WaitForMultipleObjects
DeleteCriticalSection
DeleteFileW
lstrcpynA
GetVersionExA
lstrcmpiA
GetFileSize
QueryPerformanceCounter
QueryPerformanceFrequency
HeapReAlloc
HeapAlloc
HeapFree
GetProcessHeap
GetACP
MultiByteToWideChar
ReleaseMutex
FreeLibrary
GetModuleHandleW
LoadLibraryW
CopyFileW
GetProcAddress
WideCharToMultiByte
GetEnvironmentVariableA
GetSystemTimeAsFileTime
LoadLibraryA
HeapCreate
OpenProcess
GetModuleHandleA
SetLastError
CreateProcessW
GetExitCodeProcess
Process32FirstW
CreatePipe
FindFirstFileW
GetFileAttributesW
FindNextFileW
SetFileAttributesW
SystemTimeToFileTime
GetSystemTime
lstrcmpW
LocalAlloc
SetFilePointer
GetLocalTime
WriteFile
FlushFileBuffers
SetEvent
OpenEventA
GetTickCount
GetModuleFileNameW
GetSystemInfo
SetEnvironmentVariableA
GetWindowsDirectoryW
VirtualAlloc
InterlockedIncrement
user32
GetSystemMetrics
FindWindowA
PostMessageA
CharUpperBuffA
MessageBoxA
advapi32
GetSidSubAuthority
RegCloseKey
GetUserNameW
LookupAccountSidW
GetSecurityDescriptorSacl
SetSecurityInfo
ConvertStringSecurityDescriptorToSecurityDescriptorW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
GetTokenInformation
GetSidSubAuthorityCount
OpenThreadToken
OpenProcessToken
RegEnumValueW
RegQueryInfoKeyW
RegSetValueExW
RegOpenKeyExW
RegDeleteValueW
EqualSid
IsTextUnicode
CryptAcquireContextA
oleaut32
SafeArrayGetUBound
SafeArrayGetElement
SafeArrayDestroy
SafeArrayGetLBound
SysAllocString
SysFreeString
VariantInit
VariantClear
Sections
.text Size: 130KB - Virtual size: 129KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 50KB - Virtual size: 49KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 3KB - Virtual size: 14KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 3KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 8KB - Virtual size: 8KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ