Overview

overview

10

Static

static

10

4ad0847940...6d.dll

windows7_x64

10

4ad0847940...6d.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    14-02-2022 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ad08479406d40989ce7fdb6a49bf3d180da5b3d43f770171134d682f3e3786d.dll

  • Size

    324KB

  • MD5

    0e6c166f3a55ab04be19c0211fc08369

  • SHA1

    be8510e4a362517b498f01d1717764db50fbf8f0

  • SHA256

    4ad08479406d40989ce7fdb6a49bf3d180da5b3d43f770171134d682f3e3786d

  • SHA512

    bbaba25aa828781719b4b63a36c50792defe80803b0211cd4920f79c728da075b16512d07f8879a89dbb1f001ee56bd6617e026683821e037ba76d6bdb7fec51

Score
10/10
qakbotabc1001606289576bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

401.29

Botnet

abc100

Campaign

1606289576

C2

198.2.35.226:2222

84.78.128.76:2078

120.150.34.178:443

24.201.61.153:2078

217.128.117.218:2222

217.133.54.140:32100

156.205.56.98:995

98.26.50.62:995

172.114.116.226:995

109.209.94.165:2222

72.190.101.70:443

92.59.35.196:2083

37.107.82.136:443

85.132.36.111:2222

174.76.11.123:995

219.74.176.225:443

98.118.156.172:443

94.59.120.142:443

72.29.181.78:2078

178.223.20.246:995
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Loads dropped DLL 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4ad08479406d40989ce7fdb6a49bf3d180da5b3d43f770171134d682f3e3786d.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\4ad08479406d40989ce7fdb6a49bf3d180da5b3d43f770171134d682f3e3786d.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1876
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn tvsjagklsc /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\4ad08479406d40989ce7fdb6a49bf3d180da5b3d43f770171134d682f3e3786d.dll\"" /SC ONCE /Z /ST 16:46 /ET 16:58
          4⤵
          • Creates scheduled task(s)
          PID:800
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {1E89E961-56ED-4082-B808-E89508D606A6} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\4ad08479406d40989ce7fdb6a49bf3d180da5b3d43f770171134d682f3e3786d.dll"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Windows\SysWOW64\regsvr32.exe
        -s "C:\Users\Admin\AppData\Local\Temp\4ad08479406d40989ce7fdb6a49bf3d180da5b3d43f770171134d682f3e3786d.dll"
        3⤵
        • Loads dropped DLL
        PID:2000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\4ad08479406d40989ce7fdb6a49bf3d180da5b3d43f770171134d682f3e3786d.dll
    MD5

    4c8bab570bf36475fd82cc3ca34e6260

    SHA1

    6071db0c34d7e7e8bd717a26c1bdd02e33d9ca9a

    SHA256

    43bc46e1c35d2acb0d59022795b868eaeb778de28d11188d3b8fb2954f7a5da6

    SHA512

    a0ab79c8a4d9ca1d22ac15ccd56943c359c06f197a7db3d51a035c547c99b6cabd9032680ac458cc1a703d42e26efadb7ce9d0105aeb6cf20ee9eb278a01423a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\4ad08479406d40989ce7fdb6a49bf3d180da5b3d43f770171134d682f3e3786d.dll
    MD5

    4c8bab570bf36475fd82cc3ca34e6260

    SHA1

    6071db0c34d7e7e8bd717a26c1bdd02e33d9ca9a

    SHA256

    43bc46e1c35d2acb0d59022795b868eaeb778de28d11188d3b8fb2954f7a5da6

    SHA512

    a0ab79c8a4d9ca1d22ac15ccd56943c359c06f197a7db3d51a035c547c99b6cabd9032680ac458cc1a703d42e26efadb7ce9d0105aeb6cf20ee9eb278a01423a

    Download Submit
  • memory/1088-54-0x000007FEFBAD1000-0x000007FEFBAD3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1760-55-0x0000000075341000-0x0000000075343000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1876-56-0x00000000000A0000-0x00000000000A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1876-58-0x00000000744E1000-0x00000000744E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1876-59-0x0000000000CE0000-0x0000000000CE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1876-60-0x0000000000080000-0x00000000000A0000-memory.dmp
    Filesize

    128KB

    Download