Analysis

  • max time kernel
    123s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2022 22:20

General

  • Target

    7965/usurpers.dll

  • Size

    743KB

  • MD5

    0d34c7cc649e41ed139210cff4f0f6b2

  • SHA1

    2aa5538a31b7367ced7ce55dbf68c93490f7eff9

  • SHA256

    7d9d70bdc53de103086dfc901004cfa2dc93fb25fb5c40109b63ba071107e40a

  • SHA512

    8ac448a6bdf86ad781aa386895df83cb9d48536bf00140ac0c05ea55df0f783815cc8600a5e76cd38d84f980caf5ec758b46d489370d0a49dce9c0a638ebafbb

  • SSDEEP

    12288:zxnt9hlMvNICAY0KEkAOl7G79zEXjGOyw3MW:tt9+JFEkAmG0j26M

Malware Config

Extracted

Family

qakbot

C2

15.114.17.14:1442

56.9.100.20:53368

88.117.146.12:40265

200.215.143.195:52771

134.133.152.217:5132

227.189.195.57:42370

76.219.151.168:17454

17.1.24.235:65225

217.27.142.33:46036

13.16.220.0:0

156.36.22.250:12263

73.225.210.175:40922

19.138.81.187:38748

191.101.43.136:10968

145.20.244.169:39814

74.30.254.35:15530

138.94.26.23:49965

218.175.98.133:15428

181.245.40.43:1982

24.10.174.212:30807

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7965\usurpers.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\7965\usurpers.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3808
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 668
        3⤵
        • Program crash
        PID:888
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3808 -ip 3808
    1⤵
      PID:3508

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3808-132-0x0000000000000000-mapping.dmp

    • memory/3808-133-0x0000000002860000-0x0000000002882000-memory.dmp

      Filesize

      136KB

    • memory/3808-134-0x0000000002810000-0x0000000002851000-memory.dmp

      Filesize

      260KB

    • memory/3808-135-0x0000000002860000-0x0000000002882000-memory.dmp

      Filesize

      136KB