Overview

overview

10

Static

static

Postcards.lnk

windows7-x64

3

Postcards.lnk

windows10-2004-x64

3

plaid/croaks.dll

windows7-x64

10

plaid/croaks.dll

windows10-2004-x64

10

plaid/disb...hip.js

windows7-x64

3

plaid/disb...hip.js

windows10-2004-x64

1

plaid/flou...es.cmd

windows7-x64

1

plaid/flou...es.cmd

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2022 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    plaid/croaks.dll

  • Size

    594KB

  • MD5

    3dc3f269b9a89b2d7ea8249d4644a900

  • SHA1

    b9075c67730f2a0d3b65f07663f300cfaff19011

  • SHA256

    af1692ced38f5fda305b35be66774822900a0b9617102db4b3da5f7c97f70e3e

  • SHA512

    f1377d49c9ff7dde7bd138d38a097612298f4215aa8461b9e0fe748c238de577e8f4eb134428300961b1618e018c2e8c0128923f3e8f6cb8fd93738fb264ef89

  • SSDEEP

    6144:sEUrgznbtvSaoyH0+iN4QDClgg9Q6STFOPHuC0AO+jZrR:CgzbVZi2QWig2MHuNyR

Score
10/10
qakbotbb1664437404bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.895

Botnet

BB

Campaign

1664437404

C2

113.180.55.111:443

58.186.75.42:443

105.184.56.118:995

196.206.133.114:995

80.253.189.55:443

193.3.19.137:443

41.104.80.233:443

49.205.197.13:443

186.81.122.168:443

216.238.83.82:443

216.238.83.82:995

39.44.5.104:995

196.207.146.151:443

216.238.108.61:995

139.84.167.18:995

139.84.167.18:443

216.238.108.61:443

149.28.38.16:995

134.35.12.30:443

131.100.40.13:995
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\plaid\croaks.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\plaid\croaks.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1128-59-0x0000000000000000-mapping.dmp

    Download

  • memory/1128-62-0x0000000000080000-0x00000000000A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1128-63-0x0000000000080000-0x00000000000A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1584-54-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1772-55-0x0000000000000000-mapping.dmp

    Download

  • memory/1772-56-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1772-57-0x0000000000170000-0x00000000001F0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1772-58-0x0000000000230000-0x0000000000252000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1772-61-0x0000000000230000-0x0000000000252000-memory.dmp

    Filesize

    136KB

    Download