Overview

overview

10

Static

static

9

75fe69b315...01.dll

windows7_x64

10

75fe69b315...01.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    4294188s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    09-03-2022 15:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    75fe69b3150f41b953bab2d227ac2c06a056d333be859ae28908280075eedb01.dll

  • Size

    2.1MB

  • MD5

    ff00de713a07cff7c785fef8139033cc

  • SHA1

    50badd84c1d45d73adf41515240b7e4fa0cb956e

  • SHA256

    75fe69b3150f41b953bab2d227ac2c06a056d333be859ae28908280075eedb01

  • SHA512

    c129831ab8fa475743ca893d72ae734b527dba95d800e92551c2c1a68c6025b739d5d263f7a3fcb2187003adb05adc7d48fcd4ffc60417c5869bf0d046eb6ac1

Score
10/10
qakbotnotset1607006214bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

401.62

Botnet

notset

Campaign

1607006214

C2

96.227.127.13:443

174.20.161.243:995

83.196.50.197:2222

116.240.78.45:995

80.11.5.65:2222

181.169.88.203:443

72.252.201.69:443

94.69.242.254:2222

187.213.136.249:995

96.27.47.70:2222

78.181.19.134:443

71.182.142.63:443

178.222.114.132:995

68.134.181.98:443

172.87.134.226:443

217.133.54.140:32100

151.56.214.79:443

72.240.200.181:2222

41.233.153.21:993

87.27.110.90:2222
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Loads dropped DLL 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\75fe69b3150f41b953bab2d227ac2c06a056d333be859ae28908280075eedb01.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\75fe69b3150f41b953bab2d227ac2c06a056d333be859ae28908280075eedb01.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:968
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dfpmwvyh /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\75fe69b3150f41b953bab2d227ac2c06a056d333be859ae28908280075eedb01.dll\"" /SC ONCE /Z /ST 15:33 /ET 15:45
          4⤵
          • Creates scheduled task(s)
          PID:664
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {C09F9FBD-B534-4979-9D7D-28EB52EA3CDC} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1484
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\75fe69b3150f41b953bab2d227ac2c06a056d333be859ae28908280075eedb01.dll"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\SysWOW64\regsvr32.exe
        -s "C:\Users\Admin\AppData\Local\Temp\75fe69b3150f41b953bab2d227ac2c06a056d333be859ae28908280075eedb01.dll"
        3⤵
        • Loads dropped DLL
        PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\75fe69b3150f41b953bab2d227ac2c06a056d333be859ae28908280075eedb01.dll
    MD5

    6523b4db806ac9ae567bddfc4bcd0dae

    SHA1

    03bd9c4ac900d48e227d24cbfd707c2062afc126

    SHA256

    73333d0f1516404f5dbaec38b8cd5c58658de374ff6c3532ce099492a668027f

    SHA512

    1a96557e2bc33cb0fc4ba5134622f7f1f12faa0835653926706fcc712d763f59ec5ab60a91bb5334ce8b53307cae8673380cf4e0a5ad1497837b2a7e30c8b749

    Download Submit
  • \Users\Admin\AppData\Local\Temp\75fe69b3150f41b953bab2d227ac2c06a056d333be859ae28908280075eedb01.dll
    MD5

    6523b4db806ac9ae567bddfc4bcd0dae

    SHA1

    03bd9c4ac900d48e227d24cbfd707c2062afc126

    SHA256

    73333d0f1516404f5dbaec38b8cd5c58658de374ff6c3532ce099492a668027f

    SHA512

    1a96557e2bc33cb0fc4ba5134622f7f1f12faa0835653926706fcc712d763f59ec5ab60a91bb5334ce8b53307cae8673380cf4e0a5ad1497837b2a7e30c8b749

    Download Submit
  • memory/968-55-0x0000000000080000-0x0000000000082000-memory.dmp
    Filesize

    8KB

    Download
  • memory/968-58-0x00000000745C1000-0x00000000745C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/968-61-0x0000000000350000-0x00000000005D1000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/968-62-0x00000000000D0000-0x00000000000F1000-memory.dmp
    Filesize

    132KB

    Download
  • memory/1176-63-0x000007FEFB871000-0x000007FEFB873000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1796-54-0x0000000075281000-0x0000000075283000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1796-59-0x0000000002240000-0x000000000242A000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1796-60-0x0000000010000000-0x0000000010021000-memory.dmp
    Filesize

    132KB

    Download