Analysis
-
max time kernel
112s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2022 12:41
Static task
static1
Behavioral task
behavioral1
Sample
retsina.db.dll
Resource
win7-20220812-en
General
-
Target
retsina.db.dll
-
Size
1.1MB
-
MD5
e17ff4c8e0da566b6fbe6ce54101eee7
-
SHA1
ed92354f1a9500c9dc07dfe77e23d3193e905559
-
SHA256
0b353412e79686c5185dfdf185747e856f379c863ff41d82ce0ef4b69b31b747
-
SHA512
70b9b4f07b35cf617da318e79999d3593355c126d10ab01a30827cd0daaa0d0fe54bbc9ed8fce80372803573ad2f30ea30e177dbf9ca0eddcf4cafb87e081f30
-
SSDEEP
24576:wVeK7bHY/DS6wku4EmQKyMeRP7IYqsS/HdcoO9u+5w9M4a:wZjMpn6oO
Malware Config
Extracted
qakbot
403.895
BB
1664184863
197.204.227.155:443
123.23.64.230:443
173.218.180.91:443
111.125.157.230:443
70.49.33.200:2222
149.28.38.16:995
86.132.13.105:2078
149.28.38.16:443
45.77.159.252:995
45.77.159.252:443
149.28.63.197:995
144.202.15.58:443
45.63.10.144:443
45.63.10.144:995
149.28.63.197:443
144.202.15.58:995
39.121.226.109:443
177.255.14.99:995
134.35.10.30:443
99.232.140.205:2222
180.180.132.100:443
86.176.180.223:993
41.98.11.74:443
196.64.230.149:8443
68.224.229.42:443
41.111.72.234:995
196.64.237.130:443
190.44.40.48:995
70.51.132.197:2222
88.232.207.24:443
115.247.12.66:443
189.19.189.222:32101
72.88.245.71:443
217.165.97.141:993
191.97.234.238:995
119.82.111.158:443
88.237.6.72:53
100.1.5.250:995
96.234.66.76:995
186.64.67.34:443
66.181.164.43:443
193.3.19.37:443
197.94.84.128:443
41.96.130.46:80
187.205.222.100:443
139.228.33.176:2222
88.245.168.200:2222
110.4.255.247:443
89.211.217.38:995
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2536 896 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 896 rundll32.exe 896 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3972 wrote to memory of 896 3972 rundll32.exe rundll32.exe PID 3972 wrote to memory of 896 3972 rundll32.exe rundll32.exe PID 3972 wrote to memory of 896 3972 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\retsina.db.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\retsina.db.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
PID:896 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 7123⤵
- Program crash
PID:2536
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 896 -ip 8961⤵PID:4944