Analysis
-
max time kernel
150s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
08-09-2022 15:54
General
-
Target
627967aa04631496b1bd5e502bd0c461e5991ff65eaa0f1714b8053351157e87.dll
-
Size
525KB
-
MD5
07c8c11cc4ef73de943134ab8e71850d
-
SHA1
6dffeac5550fd6b2af6738e6cda834767d41a2e5
-
SHA256
4eb7a871f9b479a9d719233dbd9f45c034e9fcf97cf70244f6d6eeaa48665a4d
-
SHA512
4d1f5d32c04ff8e4beb03cc8709ab5e073b4b18d21b6bbe59ab8198e92989d78a45e28234bc9c821455685bcdffc61732d2a00892b2bda396f194244fb68ebf2
-
SSDEEP
12288:sWghjfsaHKisYUVJAEvyxN7UDIC6hD3jkYm:jijHHKH53vU7UsNxwn
Malware Config
Extracted
qakbot
403.780
azd
1661969003
72.252.157.93:990
72.252.157.93:995
187.172.230.151:443
46.107.48.202:443
70.46.220.114:443
173.189.167.21:995
93.48.80.198:995
99.232.140.205:2222
89.211.179.14:2222
37.210.148.30:995
182.191.92.203:995
41.228.22.180:443
70.51.153.182:2222
47.180.172.159:443
47.23.89.61:993
173.21.10.71:2222
208.107.221.224:443
76.25.142.196:443
63.143.92.99:995
24.158.23.166:995
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\627967aa04631496b1bd5e502bd0c461e5991ff65eaa0f1714b8053351157e87.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\627967aa04631496b1bd5e502bd0c461e5991ff65eaa0f1714b8053351157e87.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 15:57 /tn fewbhnco /ET 16:08 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwANgAyADcAOQA2ADcAYQBhADAANAA2ADMAMQA0ADkANgBiADEAYgBkADUAZQA1ADAAMgBiAGQAMABjADQANgAxAGUANQA5ADkAMQBmAGYANgA1AGUAYQBhADAAZgAxADcAMQA0AGIAOAAwADUAMwAzADUAMQAxADUANwBlADgANwAuAGQAbABsACIA" /SC ONCE4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/460-59-0x0000000000000000-mapping.dmp
-
memory/460-61-0x0000000074851000-0x0000000074853000-memory.dmpFilesize
8KB
-
memory/460-63-0x0000000000080000-0x00000000000A2000-memory.dmpFilesize
136KB
-
memory/460-65-0x0000000000080000-0x00000000000A2000-memory.dmpFilesize
136KB
-
memory/1972-54-0x0000000000000000-mapping.dmp
-
memory/1972-55-0x0000000075D71000-0x0000000075D73000-memory.dmpFilesize
8KB
-
memory/1972-56-0x0000000000740000-0x00000000007C6000-memory.dmpFilesize
536KB
-
memory/1972-57-0x00000000002F0000-0x0000000000313000-memory.dmpFilesize
140KB
-
memory/1972-58-0x0000000000840000-0x0000000000862000-memory.dmpFilesize
136KB
-
memory/1972-62-0x0000000000840000-0x0000000000862000-memory.dmpFilesize
136KB
-
memory/2012-64-0x0000000000000000-mapping.dmp