Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

MARGINALITY.dll

windows7-x64

10

MARGINALITY.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    21/09/2022, 16:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MARGINALITY.dll

  • Size

    703KB

  • MD5

    069fbff5bbfa4dd3295442b26893c6bb

  • SHA1

    1ef32f07ffb2f1cf5198203b7d263fd74d50939b

  • SHA256

    42ad1e843f44a725a6666d3d27f10caaa2252a05e1bc0b9c3c315496728f9f25

  • SHA512

    4c54c38d2f7a3fdcc154747d71db2a4871131e3a632eb5ede959f03370af9ba651825ed2a4318553ec0feeb82da1389cf15c4e74390d44edc72ddc01ea1eaa69

  • SSDEEP

    12288:10cDgZApguXaZhjxA8DPG+WAHlKHnhMIEe5UT+QD1lNMABa:6w76Za8Gy8HnP5w9Mqa

Score
10/10
qakbotbb1663698873bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.895

Botnet

BB

Campaign

1663698873

C2

173.218.180.91:443

134.35.13.43:443

197.94.84.128:443

70.51.132.197:2222

181.118.183.123:443

189.19.189.222:32101

41.111.1.60:995

70.49.33.200:2222

99.232.140.205:2222

139.228.33.176:2222

193.3.19.37:443

41.99.57.155:443

177.255.14.99:995

31.54.39.153:2078

191.97.234.238:995

105.159.30.48:443

217.165.146.41:993

119.82.111.158:443

66.181.164.43:443

88.245.168.200:2222
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\MARGINALITY.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\MARGINALITY.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1112-64-0x00000000000C0000-0x00000000000E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1112-65-0x00000000000C0000-0x00000000000E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1536-55-0x00000000768A1000-0x00000000768A3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1536-56-0x00000000003C0000-0x00000000003E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1536-58-0x00000000003C0000-0x00000000003E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1536-57-0x00000000003C0000-0x00000000003E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1536-59-0x00000000002E0000-0x0000000000321000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1536-60-0x00000000003C0000-0x00000000003E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1536-63-0x00000000003C0000-0x00000000003E2000-memory.dmp

    Filesize

    136KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.