Overview

overview

10

Static

static

263018d274...17.dll

windows7_x64

10

263018d274...17.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    4294220s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    20-03-2022 06:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    263018d274b66a6c4b70387be645ae164ea833de8a2505b76eb90b3899bfe917.dll

  • Size

    600KB

  • MD5

    91e8fcdf6706c6afa6541aa71ff62016

  • SHA1

    b2df07d1ed4a2345768da9c42768d1e9edfcbb52

  • SHA256

    263018d274b66a6c4b70387be645ae164ea833de8a2505b76eb90b3899bfe917

  • SHA512

    7e9b55d43aa533b8b7780a1fce53985fcd76295d88e69c82dad185f3482c224301745d397f1d9e1cdde0702cb6f803227cf0b313e44c0f271944a5af4d07e873

Score
10/10
qakbotabc1141608108680bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

401.138

Botnet

abc114

Campaign

1608108680

C2

89.240.164.40:2222

80.195.103.146:2222

39.32.147.77:995

95.76.27.6:443

24.138.75.11:443

124.29.232.108:443

2.51.240.250:995

79.129.252.62:2222

5.193.148.126:2078

84.247.55.190:8443

2.50.159.19:2222

37.105.7.219:995

196.204.207.111:443

184.179.14.130:22

203.106.116.190:443

155.186.9.160:443

202.141.225.158:443

172.87.157.235:3389

81.133.234.36:2222

2.91.9.248:443
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\263018d274b66a6c4b70387be645ae164ea833de8a2505b76eb90b3899bfe917.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:616
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\263018d274b66a6c4b70387be645ae164ea833de8a2505b76eb90b3899bfe917.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vngkxenqgx /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\263018d274b66a6c4b70387be645ae164ea833de8a2505b76eb90b3899bfe917.dll\"" /SC ONCE /Z /ST 22:37 /ET 22:49
          4⤵
          • Creates scheduled task(s)
          PID:1956
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {C64AE977-0B3D-403A-84A4-7AF5474B5375} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\263018d274b66a6c4b70387be645ae164ea833de8a2505b76eb90b3899bfe917.dll"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1044
      • C:\Windows\SysWOW64\regsvr32.exe
        -s "C:\Users\Admin\AppData\Local\Temp\263018d274b66a6c4b70387be645ae164ea833de8a2505b76eb90b3899bfe917.dll"
        3⤵
          PID:552

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\263018d274b66a6c4b70387be645ae164ea833de8a2505b76eb90b3899bfe917.dll
      MD5

      bb703e74a6799891dcde14874bfc45ff

      SHA1

      cd4fc3950dd6bb56934945147c3171dd45511181

      SHA256

      9988c0865a5f03771d630264051c55406096001dabdba835c6e9617e302f6e93

      SHA512

      0486ffee120b8b2ba035889e674014ae5c1ee7a491c59a776fda24ea4c3a72e60d4d98d396c632a9c2d7912a57aa7270a6a874a50793a358cdb320ac51171fed

      Download Submit
    • memory/804-57-0x00000000000C0000-0x00000000000C2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/804-60-0x00000000741D1000-0x00000000741D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/804-61-0x00000000003E0000-0x0000000000661000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/804-62-0x0000000000080000-0x00000000000B5000-memory.dmp
      Filesize

      212KB

      Download
    • memory/1044-63-0x000007FEFB851000-0x000007FEFB853000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1700-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1700-55-0x00000000006D0000-0x0000000000733000-memory.dmp
      Filesize

      396KB

      Download
    • memory/1700-56-0x0000000010000000-0x0000000010098000-memory.dmp
      Filesize

      608KB

      Download