Overview

overview

10

Static

static

D704DA1752...B2.dll

windows7-x64

10

D704DA1752...B2.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2022 18:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    D704DA175248D59C068D9251F96DEEB2.dll

  • Size

    393KB

  • MD5

    d704da175248d59c068d9251f96deeb2

  • SHA1

    3c95b16e88c5edc3a7f24c0b7c78bf4312a82599

  • SHA256

    d127e0c805be94fef708c47ad62037ba3840d7b1db5330deea2bc40160501f45

  • SHA512

    21903bfd94beb1d7d88e3ff09e4727ac50c5f868633336173311d8033f3bbe19b01c1579cec4a7a660c9ee99aab1c8912986028ff450d3e693bc13008c835155

  • SSDEEP

    6144:P57WEjEaG/tptUcHme85N6w0ZmXp8jwkGU99WOUN2LAOh:IEj7QPw5cwimXujH33

Score
10/10
qakbotbb1664437404bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.895

Botnet

BB

Campaign

1664437404

C2

113.180.55.111:443

58.186.75.42:443

105.184.56.118:995

196.206.133.114:995

80.253.189.55:443

193.3.19.137:443

41.104.80.233:443

49.205.197.13:443

186.81.122.168:443

216.238.83.82:443

216.238.83.82:995

39.44.5.104:995

196.207.146.151:443

216.238.108.61:995

139.84.167.18:995

139.84.167.18:443

216.238.108.61:443

149.28.38.16:995

134.35.12.30:443

131.100.40.13:995
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D704DA175248D59C068D9251F96DEEB2.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\D704DA175248D59C068D9251F96DEEB2.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/920-137-0x0000000000910000-0x0000000000932000-memory.dmp

    Filesize

    136KB

    Download

  • memory/920-138-0x0000000000910000-0x0000000000932000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1040-133-0x0000000000EE0000-0x0000000000F22000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1040-134-0x0000000000BC0000-0x0000000000BE2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1040-136-0x0000000000BC0000-0x0000000000BE2000-memory.dmp

    Filesize

    136KB

    Download