Overview

overview

10

Static

static

uncited.dat.dll

windows7-x64

10

uncited.dat.dll

windows10-2004-x64

10

Resubmissions

14/10/2022, 19:38

221014-ycdmgsecep 10

14/10/2022, 18:36

221014-w8xdcseag7 10

Analysis

  • max time kernel
    113s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2022, 19:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    uncited.dat.dll

  • Size

    638KB

  • MD5

    7f1fc752865619dbe870ab5630e901d6

  • SHA1

    43878660e33f52f22ed1de323f2c426870174dd7

  • SHA256

    10afa9374deef0bc44fae6fc28be88c3999bb2410f07b7159dbd1882a94e9189

  • SHA512

    f085bcb6e666324e9f3f6cf0a9d3fe353fe4d100669512d66d1fc10abb9e9addb0c798fbbd8207f77daaea72fcd057bf22e710d14cfd97f4d24fdf7513b968c7

  • SSDEEP

    12288:fa2sTwwDbozbuUijWQ2ieToMjavBxHuZXJMeGbX//IO:fBs1QuUijWHVUM+HOZXJM5T//I

Score
10/10
qakbotbb021665761649bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.973

Botnet

BB02

Campaign

1665761649

C2

211.47.11.62:33850

104.233.202.195:443

105.156.242.71:443

45.230.169.132:995

181.197.41.173:443

197.0.89.147:443

191.254.53.134:995

190.204.74.4:2222

46.185.147.165:443

190.26.159.133:995

177.205.74.14:2222

197.63.250.197:993

45.230.169.132:443

156.212.50.148:443

193.27.13.28:32100

190.200.10.82:2222

31.166.182.166:443

179.105.182.216:995

193.201.187.64:443

1.53.101.75:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\uncited.dat.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4756
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\uncited.dat.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2108
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 676
        3⤵
        • Program crash
        PID:2356
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2108 -ip 2108
    1⤵
      PID:5000

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/2108-133-0x00000000025B0000-0x00000000025D9000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2108-134-0x0000000002450000-0x000000000247A000-memory.dmp

            Filesize

            168KB

            Download

          • memory/2108-135-0x00000000025B0000-0x00000000025D9000-memory.dmp

            Filesize

            164KB

            Download