Overview

overview

10

Static

static

10

52321edc0c...eb.dll

windows7_x64

10

52321edc0c...eb.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    14-02-2022 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    52321edc0c5a3fcb824d591c730e7783194ec5e1c0f617b40ffe760a876924eb.dll

  • Size

    167KB

  • MD5

    0c9bef0496980f1304a14e3fa7737146

  • SHA1

    4a40d0bbe792271c0911c09c5cdd577d7e38a399

  • SHA256

    52321edc0c5a3fcb824d591c730e7783194ec5e1c0f617b40ffe760a876924eb

  • SHA512

    a910b0db163f6cec3914096b3b5a05503a3e92cec82fe60e900157a173bdc154c7376bb229b01612b05eb084427ea3820291d66714b00fd9bec7098972aef916

Score
10/10
qakbot1518695014bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

322.148

Campaign

1518695014

Credentials

  • Protocol:     ftp
  • Host:
    66.96.133.9
  • Port:
    21
  • Username:
    help
  • Password:
    eT5TerAcnFe6~

  • Protocol:     ftp
  • Host:
    174.123.38.58
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    4BQ1MeeRAwNZEVu

  • Protocol:     ftp
  • Host:
    61.221.12.26
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    346HZGCMlwecz9S

  • Protocol:     ftp
  • Host:
    67.222.137.18
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    p4a8k6fE1FtA3pR

  • Protocol:     ftp
  • Host:
    107.6.152.61
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    RoP4Af0RKAAQ74V
C2

179.62.153.88:443

50.198.141.161:2222

69.129.91.38:443

66.189.228.49:995

96.253.104.73:443

71.183.129.113:443

125.25.130.203:995

173.175.174.154:443

162.104.186.175:995

75.109.222.140:995

68.173.55.51:443

78.175.254.43:443

106.159.251.143:995

47.143.83.172:443

71.190.202.120:443

73.136.232.174:995

96.253.104.73:995

192.158.217.32:22

65.153.16.250:993

70.95.129.59:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Drops file in Windows directory 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\52321edc0c5a3fcb824d591c730e7783194ec5e1c0f617b40ffe760a876924eb.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3184
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\52321edc0c5a3fcb824d591c730e7783194ec5e1c0f617b40ffe760a876924eb.dll,#1
      2⤵
        PID:4128
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3392
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2292

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3392-132-0x00000272F5D80000-0x00000272F5D90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3392-133-0x00000272F6560000-0x00000272F6570000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3392-134-0x00000272F9160000-0x00000272F9164000-memory.dmp

      Filesize

      16KB

      Download

    • memory/4128-130-0x0000000000B10000-0x0000000000B3F000-memory.dmp

      Filesize

      188KB

      Download