Overview

overview

10

Static

static

anticipati...gs.dll

windows7-x64

10

anticipati...gs.dll

windows10-2004-x64

10

Resubmissions

29/09/2022, 17:46

220929-wcj36abfb5 10

29/09/2022, 17:36

220929-v6m68scecp 10

Analysis

  • max time kernel
    1s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    29/09/2022, 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    anticipations/weaklings.dll

  • Size

    693KB

  • MD5

    c05798268fcde7fbda9305a54389bb79

  • SHA1

    72b49520e928a4d4c63b99d8bc68a45abc41cc88

  • SHA256

    b9dd2d79e9b78f0d3f439c302f19b0bbec463f135701ab2ea99c27f48fa2eb1a

  • SHA512

    8937282bbf257f0d2f2ab86ba4909b3ee8f69d2141b8e419cb245019a0dcd5964c38ab9bc3ada8ef75cbdee02ae05a0f69196d4fb6c4c27351b2e36f36f592e1

  • SSDEEP

    12288:/ieL1vc1PdFjpmw5qS6xnGWvE/NIg5UT+QD1lNMAxH:K81IFnqnvE/5w9MW

Score
10/10
qakbotbb1664358901bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.895

Botnet

BB

Campaign

1664358901

C2

179.111.23.186:32101

179.251.119.206:995

84.3.85.30:443

39.44.5.104:995

197.41.235.69:995

193.3.19.137:443

186.81.122.168:443

103.173.121.17:443

41.111.118.56:443

102.189.184.12:995

156.199.90.139:443

14.168.180.223:443

41.140.98.37:995

156.205.3.210:993

139.228.33.176:2222

134.35.12.0:443

49.205.197.13:443

131.100.40.13:995

217.165.146.158:993

73.252.27.208:995
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\anticipations\weaklings.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\anticipations\weaklings.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1124-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1124-56-0x0000000000780000-0x0000000000832000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1124-57-0x0000000000840000-0x0000000000862000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1124-58-0x0000000000840000-0x0000000000862000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1124-59-0x0000000000840000-0x0000000000862000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1124-60-0x00000000002F0000-0x0000000000331000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1124-61-0x0000000000840000-0x0000000000862000-memory.dmp

    Filesize

    136KB

    Download