Overview

overview

10

Static

static

1370172.dll

windows7_x64

10

1370172.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    14-03-2022 15:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1370172.dll

  • Size

    399KB

  • MD5

    bee96f2bf1aaedbf6ca05ae03f039531

  • SHA1

    4232ccc27db99e0897f59cbc766165c7a4947d19

  • SHA256

    aadc30f0d12f15af7c84ec0a68d89a801b789a85e3903401f7e9c9ddbecd7be1

  • SHA512

    3f794543588b0d6508311c8841185679023d140f898876ad4dbda884a71949194ca363d885c2ac71d7b286b40831002e7398c281180a5a65591a2ad06310d33c

Score
10/10
qakbotobama1661647242571bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.549

Botnet

obama166

Campaign

1647242571

C2

103.87.95.131:2222

87.109.242.89:995

76.169.147.192:32103

91.177.173.10:995

75.159.9.236:443

39.52.55.202:995

86.184.85.199:443

172.114.160.81:995

92.99.229.158:2222

76.25.142.196:443

78.100.227.241:2222

175.145.235.37:443

67.209.195.198:443

78.100.194.196:6883

217.128.122.65:2222

103.230.180.119:443

120.150.218.241:995

177.207.67.234:993

39.49.32.57:995

141.237.82.15:995
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1370172.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\1370172.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:868
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/868-130-0x0000000010000000-0x000000001006C000-memory.dmp
    Filesize

    432KB

    Download
  • memory/4804-136-0x0000000000F00000-0x0000000000F6C000-memory.dmp
    Filesize

    432KB

    Download