Overview

overview

10

Static

static

REF.lnk

windows7-x64

3

REF.lnk

windows10-2004-x64

3

gaffes/act...usk.js

windows7-x64

3

gaffes/act...usk.js

windows10-2004-x64

1

gaffes/inh...ly.cmd

windows7-x64

1

gaffes/inh...ly.cmd

windows10-2004-x64

1

gaffes/twinkle.dll

windows7-x64

10

gaffes/twinkle.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-09-2022 16:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gaffes/twinkle.dll

  • Size

    695KB

  • MD5

    44ee81238a82607f711237d670cb88b2

  • SHA1

    25f4cbc56d9970d837f8ba3059956db4dbe0e1bd

  • SHA256

    466484398eb25d42b0e0b095f10590a566610447eb212d1dc7f7bd342e89fe5a

  • SHA512

    19a9b4e79dc7d2752ae4a3f6d71b3ea8e0ee00022b259bf635e0c2f053ede53b5d7c8b217c232d15df299c47d953d026b3f1fc0af6bfb85fb940ba339f4c4385

  • SSDEEP

    12288:nieL1vc1PdFjpmw5qS6xnGWmE/N285UT+QD1lNMA:i81IFnqnmEl5w9M

Score
10/10
qakbotobama2071664363417bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.895

Botnet

obama207

Campaign

1664363417

C2

217.165.146.158:993

41.97.179.58:443

86.132.13.49:2078

197.203.50.195:443

85.245.143.94:443

86.196.181.62:2222

102.190.190.242:995

105.184.133.198:995

179.111.23.186:32101

179.251.119.206:995

84.3.85.30:443

39.44.5.104:995

197.41.235.69:995

193.3.19.137:443

186.81.122.168:443

103.173.121.17:443

41.104.80.233:443

102.189.184.12:995

156.199.90.139:443

14.168.180.223:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\gaffes\twinkle.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\gaffes\twinkle.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1728-62-0x0000000000000000-mapping.dmp

    Download

  • memory/1728-65-0x00000000000C0000-0x00000000000E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1728-66-0x00000000000C0000-0x00000000000E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1996-54-0x0000000000000000-mapping.dmp

    Download

  • memory/1996-55-0x0000000076031000-0x0000000076033000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1996-56-0x00000000007C0000-0x0000000000873000-memory.dmp

    Filesize

    716KB

    Download

  • memory/1996-57-0x0000000000260000-0x0000000000282000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1996-59-0x0000000000260000-0x0000000000282000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1996-58-0x0000000000260000-0x0000000000282000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1996-60-0x0000000001EC0000-0x0000000001F02000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1996-61-0x0000000000260000-0x0000000000282000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1996-64-0x0000000000260000-0x0000000000282000-memory.dmp

    Filesize

    136KB

    Download