Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

MARGINALITY.dll

windows7-x64

10

MARGINALITY.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    65s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2022, 16:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MARGINALITY.dll

  • Size

    703KB

  • MD5

    069fbff5bbfa4dd3295442b26893c6bb

  • SHA1

    1ef32f07ffb2f1cf5198203b7d263fd74d50939b

  • SHA256

    42ad1e843f44a725a6666d3d27f10caaa2252a05e1bc0b9c3c315496728f9f25

  • SHA512

    4c54c38d2f7a3fdcc154747d71db2a4871131e3a632eb5ede959f03370af9ba651825ed2a4318553ec0feeb82da1389cf15c4e74390d44edc72ddc01ea1eaa69

  • SSDEEP

    12288:10cDgZApguXaZhjxA8DPG+WAHlKHnhMIEe5UT+QD1lNMABa:6w76Za8Gy8HnP5w9Mqa

Score
10/10
qakbotbb1663698873bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.895

Botnet

BB

Campaign

1663698873

C2

173.218.180.91:443

134.35.13.43:443

197.94.84.128:443

70.51.132.197:2222

181.118.183.123:443

189.19.189.222:32101

41.111.1.60:995

70.49.33.200:2222

99.232.140.205:2222

139.228.33.176:2222

193.3.19.37:443

41.99.57.155:443

177.255.14.99:995

31.54.39.153:2078

191.97.234.238:995

105.159.30.48:443

217.165.146.41:993

119.82.111.158:443

66.181.164.43:443

88.245.168.200:2222
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\MARGINALITY.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\MARGINALITY.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:836
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 668
        3⤵
        • Program crash
        PID:2164
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 836 -ip 836
    1⤵
      PID:5012

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/836-133-0x0000000000850000-0x0000000000904000-memory.dmp

      Filesize

      720KB

      Download

    • memory/836-134-0x00000000025C0000-0x00000000025E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/836-135-0x00000000021F0000-0x0000000002231000-memory.dmp

      Filesize

      260KB

      Download

    • memory/836-136-0x00000000025C0000-0x00000000025E2000-memory.dmp

      Filesize

      136KB

      Download