Overview

overview

10

Static

static

bba04c832f...8b.dll

windows7-x64

10

bba04c832f...8b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2022 23:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bba04c832f3e278361c826c4fafc70ec98d016d8ed5de6bc90db87a773cb658b.dll

  • Size

    979KB

  • MD5

    a54c368c81e44e3e30d39d20735eb2ae

  • SHA1

    5381365f8afa1c9dff0da4fdb19a9527b6bf8118

  • SHA256

    bba04c832f3e278361c826c4fafc70ec98d016d8ed5de6bc90db87a773cb658b

  • SHA512

    abed3a88c56293a6377a87038b3811a07948ddbfbda9c58f21b6fddf4e39b89a059c9d98f764f154df7eba0497ed55907f34fd266bc2917a2cb916e4e49d2cd2

Score
10/10
qakbotaa1654852856bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.688

Botnet

AA

Campaign

1654852856

C2

172.115.177.204:2222

78.177.60.224:443

75.99.168.194:61201

124.40.244.115:2222

32.221.224.140:995

31.35.28.29:443

186.90.153.162:2222

1.161.123.53:995

197.87.182.115:443

86.132.14.70:2078

197.94.94.206:443

74.14.5.179:2222

148.0.56.63:443

217.165.84.253:993

39.44.235.10:995

67.165.206.193:993

210.246.4.69:995

182.191.92.203:995

117.248.109.38:21

1.161.123.53:443
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bba04c832f3e278361c826c4fafc70ec98d016d8ed5de6bc90db87a773cb658b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\bba04c832f3e278361c826c4fafc70ec98d016d8ed5de6bc90db87a773cb658b.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:736
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn godufotxl /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\bba04c832f3e278361c826c4fafc70ec98d016d8ed5de6bc90db87a773cb658b.dll\"" /SC ONCE /Z /ST 23:16 /ET 23:28
          4⤵
          • Creates scheduled task(s)
          PID:1892
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {81C0EBD1-B583-4A8F-9F87-D3B1E1CFD0EB} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\bba04c832f3e278361c826c4fafc70ec98d016d8ed5de6bc90db87a773cb658b.dll"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1152
      • C:\Windows\SysWOW64\regsvr32.exe
        -s "C:\Users\Admin\AppData\Local\Temp\bba04c832f3e278361c826c4fafc70ec98d016d8ed5de6bc90db87a773cb658b.dll"
        3⤵
          PID:1564

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bba04c832f3e278361c826c4fafc70ec98d016d8ed5de6bc90db87a773cb658b.dll
      Filesize

      979KB

      MD5

      a54c368c81e44e3e30d39d20735eb2ae

      SHA1

      5381365f8afa1c9dff0da4fdb19a9527b6bf8118

      SHA256

      bba04c832f3e278361c826c4fafc70ec98d016d8ed5de6bc90db87a773cb658b

      SHA512

      abed3a88c56293a6377a87038b3811a07948ddbfbda9c58f21b6fddf4e39b89a059c9d98f764f154df7eba0497ed55907f34fd266bc2917a2cb916e4e49d2cd2

      Download Submit
    • memory/736-57-0x00000000022B0000-0x00000000022D2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/736-56-0x00000000007B0000-0x00000000008A7000-memory.dmp
      Filesize

      988KB

      Download
    • memory/736-59-0x00000000022B0000-0x00000000022D2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/736-58-0x00000000022B0000-0x00000000022D2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/736-60-0x0000000002270000-0x00000000022A2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/736-61-0x00000000022B0000-0x00000000022D2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/736-55-0x0000000076191000-0x0000000076193000-memory.dmp
      Filesize

      8KB

      Download
    • memory/736-65-0x00000000022B0000-0x00000000022D2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/736-54-0x0000000000000000-mapping.dmp
      Download
    • memory/1152-69-0x0000000000000000-mapping.dmp
      Download
    • memory/1152-70-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1564-72-0x0000000000000000-mapping.dmp
      Download
    • memory/1892-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1936-68-0x0000000000080000-0x00000000000A2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1936-66-0x0000000000080000-0x00000000000A2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1936-64-0x0000000074411000-0x0000000074413000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1936-62-0x0000000000000000-mapping.dmp
      Download