Overview

overview

10

Static

static

CardS.lnk

windows7-x64

3

CardS.lnk

windows10-2004-x64

3

brickwork/...ans.js

windows7-x64

3

brickwork/...ans.js

windows10-2004-x64

1

brickwork/...is.dll

windows7-x64

10

brickwork/...is.dll

windows10-2004-x64

10

brickwork/...te.cmd

windows7-x64

1

brickwork/...te.cmd

windows10-2004-x64

1

Resubmissions

03/10/2022, 18:20

221003-wy3sdsaehq 10

30/09/2022, 16:25

220930-twx31seah6 10

Analysis

  • max time kernel
    150s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 18:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    brickwork/rhinitis.dll

  • Size

    653KB

  • MD5

    8f2fb30e75a8434382eddef86ecda768

  • SHA1

    dfb888ddad9c2111de010532f2539b9fddb99e7b

  • SHA256

    27fbfb86936343fc18bb61811401c96c052ecdff080da3bdb403545d55cf2b2a

  • SHA512

    a4f0707562157666143a20860ca1d3d8a49f9ffba79b7066361a35beba4488c81e0a4822bd9bdf7a6c7028c7aa066d2f295a36890577d2b4ea9b3da66adbcbf3

  • SSDEEP

    12288:DzGUo9tIf1JUFR+NcGW4izhxSsB20HQ+n3VGo9lD0ZoggSVSK7t:DzG3QtiRgbWhbLdQG3VGonQo4t

Score
10/10
qakbotbankerstealertrojan

Malware Config

Extracted

Family

qakbot

C2

75.116.87.44:14933

64.55.103.194:9151

80.214.68.88:40730

97.184.129.40:2118

216.44.143.70:26851

239.39.127.10:38876

57.33.10.57:17737

201.128.252.151:58865

211.76.239.250:34506

124.58.65.86:13247

41.8.154.58:7614

6.55.240.195:27003

139.242.121.12:23370

8.81.30.103:64297

168.13.24.67:37382

17.219.125.20:59669

136.66.66.194:40287

63.172.177.141:57252

195.44.25.26:29277

67.212.106.154:59890
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\brickwork\rhinitis.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:328
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\brickwork\rhinitis.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1152
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/328-54-0x000007FEFC291000-0x000007FEFC293000-memory.dmp

    Filesize

    8KB

    Download

  • memory/940-61-0x0000000000080000-0x00000000000A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/940-62-0x0000000000080000-0x00000000000A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1152-56-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1152-57-0x00000000001D0000-0x0000000000250000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1152-60-0x00000000001D0000-0x00000000001F2000-memory.dmp

    Filesize

    136KB

    Download