Overview

overview

10

Static

static

3586/6190.cmd

windows7-x64

8

3586/6190.cmd

windows10-2004-x64

8

3586/extinct.dll

windows7-x64

10

3586/extinct.dll

windows10-2004-x64

10

Item.lnk

windows7-x64

3

Item.lnk

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2022 17:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3586/extinct.dll

  • Size

    384KB

  • MD5

    1fa2068f08d1c55f06d6c33cb846f9ad

  • SHA1

    e305efe7987be1a91cdf39daa6bd1b19bc8c694c

  • SHA256

    fd18b58235e50379b775cc3cbabdc8df599e71f787b2d286281999c24ecc18f8

  • SHA512

    c2a2b84e2549be4078397650470f40d7f1b3c7385eab182e91ee2af09aea429c307b778d16e7b5673a10946485ef1db790d21878a4f752ed59e3061687898764

  • SSDEEP

    6144:OwWNVNYHWRZMZeiVt5p682MkWgylrBeKd5bYBWzjCvIuwDJnpCKHbrxOG53KPNs:Ol5eWt82Mk6lroKsLguiHOPNs

Score
10/10
qakbotbankerstealertrojan

Malware Config

Extracted

Family

qakbot

C2

254.220.133.175:61488

6.214.34.86:37718

129.63.87.139:47957

199.143.187.202:62342

233.203.75.113:40362

82.124.234.247:34892

77.88.220.108:65380

25.178.53.162:20183

234.205.153.76:63077

238.101.201.44:62063

244.41.89.118:54277

231.192.232.240:5182

13.173.166.131:1980

145.12.85.164:5864

13.198.107.186:24529

120.215.195.171:65347

193.162.253.134:2162

122.85.3.31:40483

50.116.208.51:18656

210.30.166.49:58465
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3586\extinct.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\3586\extinct.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4740
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2228-134-0x0000000000000000-mapping.dmp

    Download

  • memory/2228-136-0x0000000000EF0000-0x0000000000F12000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2228-137-0x0000000000EF0000-0x0000000000F12000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4740-132-0x0000000000000000-mapping.dmp

    Download

  • memory/4740-133-0x00000000015D0000-0x00000000015F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4740-135-0x00000000015D0000-0x00000000015F2000-memory.dmp

    Filesize

    136KB

    Download