Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

defrosts.dat.dll

windows7-x64

10

defrosts.dat.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    197s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 22:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    defrosts.dat.dll

  • Size

    650KB

  • MD5

    3d348e2c37855dd4a1b94eff371ab3f1

  • SHA1

    3e66fc73001380b170e658561f19441262011af6

  • SHA256

    f56d25cf9f20f2040b2ec14f769f36aa14819f56f6b254c0831c9b2a024b8c8d

  • SHA512

    8cbade23ddcbfcad5ea242e4926e194daad958b8ff61069220165a0fe4b660fc8c19ce56f39ac6bfd4defeb7525b2268665a01b5ebb8aaa2e5c31ee532b50052

  • SSDEEP

    12288:e04qh9jnmGxBGex5ikJdspJRtsdi21LcVUK:ayjn5PyVWdR1L/K

Score
10/10
qakbotbankerstealertrojan

Malware Config

Extracted

Family

qakbot

C2

78.116.204.249:27334

32.26.157.231:2190

18.196.211.168:48835

20.143.207.39:26614

129.117.41.161:7982

209.203.201.219:44632

174.59.186.115:33072

88.239.235.151:45186

130.10.116.149:14433

232.176.128.0:0

70.238.223.142:65113

108.212.133.125:43749

91.204.181.165:28980

227.138.255.213:57594

252.124.102.160:59802

84.56.235.30:702

40.12.38.164:4225

163.55.16.87:6230

235.167.221.218:44172

113.34.86.36:44766
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\defrosts.dat.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3808
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\defrosts.dat.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4780-140-0x0000000000480000-0x00000000004A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4780-141-0x0000000000480000-0x00000000004A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4960-133-0x0000000075550000-0x00000000755F7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/4960-134-0x00000000025B0000-0x00000000025F2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/4960-135-0x0000000002620000-0x0000000002642000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4960-136-0x0000000075550000-0x00000000755F7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/4960-138-0x0000000075550000-0x00000000755F7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/4960-139-0x0000000002620000-0x0000000002642000-memory.dmp

    Filesize

    136KB

    Download