Overview

overview

10

Static

static

twoOtherThen.dll

windows7_x64

10

twoOtherThen.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    23-06-2022 16:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    twoOtherThen.dll

  • Size

    335KB

  • MD5

    b34091299aae4ff301b3402179adc3cd

  • SHA1

    4e7b94658ba637d4e05ee3fb60480aa4b934d7a0

  • SHA256

    0d0f2885724cb94c9c1ca7c9bb436daca22f3934a4b10010dbaa3d3f51e7dc12

  • SHA512

    bcdc6c19fb90d1b51eb8dfea3dea772051acf9e16eb3db9f742853f17b32b294217d9741555b5b1ed8e92dbf5531266fdbb5bcc72970aaa1b9bd6901d9720494

Score
10/10
qakbotobama1921655969261bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.780

Botnet

obama192

Campaign

1655969261

C2

100.38.242.113:995

94.59.252.166:2222

74.14.5.179:2222

71.13.93.154:2222

193.253.44.249:2222

108.60.213.141:443

45.241.231.78:993

217.128.122.65:2222

40.134.246.185:995

1.161.124.241:443

70.46.220.114:443

24.43.99.75:443

32.221.224.140:995

80.11.74.81:2222

31.215.184.140:2222

39.49.85.29:995

67.209.195.198:443

186.90.153.162:2222

148.64.96.100:443

67.165.206.193:993
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 51 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\twoOtherThen.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3588
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\twoOtherThen.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:728
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1476
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 18:52 /tn nctkgvhv /ET 19:03 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAdAB3AG8ATwB0AGgAZQByAFQAaABlAG4ALgBkAGwAbAAiAA==" /SC ONCE
          4⤵
          • Creates scheduled task(s)
          PID:1828
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAdAB3AG8ATwB0AGgAZQByAFQAaABlAG4ALgBkAGwAbAAiAA==
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:616
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\twoOtherThen.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:116
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Users\Admin\AppData\Local\Temp\twoOtherThen.dll
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4736
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Modifies data under HKEY_USERS
          PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\twoOtherThen.dll
    Filesize

    335KB

    MD5

    b34091299aae4ff301b3402179adc3cd

    SHA1

    4e7b94658ba637d4e05ee3fb60480aa4b934d7a0

    SHA256

    0d0f2885724cb94c9c1ca7c9bb436daca22f3934a4b10010dbaa3d3f51e7dc12

    SHA512

    bcdc6c19fb90d1b51eb8dfea3dea772051acf9e16eb3db9f742853f17b32b294217d9741555b5b1ed8e92dbf5531266fdbb5bcc72970aaa1b9bd6901d9720494

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\twoOtherThen.dll
    Filesize

    335KB

    MD5

    b34091299aae4ff301b3402179adc3cd

    SHA1

    4e7b94658ba637d4e05ee3fb60480aa4b934d7a0

    SHA256

    0d0f2885724cb94c9c1ca7c9bb436daca22f3934a4b10010dbaa3d3f51e7dc12

    SHA512

    bcdc6c19fb90d1b51eb8dfea3dea772051acf9e16eb3db9f742853f17b32b294217d9741555b5b1ed8e92dbf5531266fdbb5bcc72970aaa1b9bd6901d9720494

    Download Submit
  • memory/116-138-0x0000000000000000-mapping.dmp
    Download
  • memory/616-142-0x00007FFEB9A00000-0x00007FFEBA4C1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/616-143-0x00007FFEB9A00000-0x00007FFEBA4C1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/616-137-0x000001FF50030000-0x000001FF50052000-memory.dmp
    Filesize

    136KB

    Download
  • memory/728-131-0x0000000001190000-0x00000000011B2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/728-130-0x0000000000000000-mapping.dmp
    Download
  • memory/728-133-0x0000000001190000-0x00000000011B2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1060-145-0x0000000000000000-mapping.dmp
    Download
  • memory/1060-147-0x00000000014D0000-0x00000000014F2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1060-148-0x00000000014D0000-0x00000000014F2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1476-132-0x0000000000000000-mapping.dmp
    Download
  • memory/1476-135-0x00000000014D0000-0x00000000014F2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1476-136-0x00000000014D0000-0x00000000014F2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1828-134-0x0000000000000000-mapping.dmp
    Download
  • memory/4736-140-0x0000000000000000-mapping.dmp
    Download
  • memory/4736-144-0x00000000009D0000-0x00000000009F2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4736-146-0x00000000009D0000-0x00000000009F2000-memory.dmp
    Filesize

    136KB

    Download