Overview

overview

10

Static

static

REJ.lnk

windows7-x64

3

REJ.lnk

windows10-2004-x64

3

oslo/count...ly.dll

windows7-x64

10

oslo/count...ly.dll

windows10-2004-x64

10

oslo/reprocesses.cmd

windows7-x64

1

oslo/reprocesses.cmd

windows10-2004-x64

1

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/10/2022, 15:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    oslo/counteractively.dll

  • Size

    1.6MB

  • MD5

    52ec63a6f7f089862e648112fe8e9f1d

  • SHA1

    04db9cb200b071c86365e6bca041e7fe98bd9549

  • SHA256

    cbd3aae2eb182d54aed8306fa64c4cc91878a174ad23cbb85bc5d88117879902

  • SHA512

    8af919376f8d29bf5e3ad4a7fb1e8c83726fc0fd85920517c03b9fe7cd2d5efbafccc400b93b7584db34ee583e06d38c0ddfbbb281a8760b2fab076bdc65491d

  • SSDEEP

    24576:12gUXd2F9pZ6gGxxuFZ9HpuKt5VIWZypPsHycDizFitRCFv5x1WZXJM5T//82:12gOYNWuFZ9JAEHNWFOWv5D+5M

Score
10/10
qakbotobama2131665998932bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.973

Botnet

obama213

Campaign

1665998932

C2

70.173.248.13:443

219.71.108.177:443

206.1.189.186:443

14.246.151.175:443

102.159.77.134:995

200.233.108.153:993

134.35.3.85:443

190.199.186.117:2222

200.155.61.245:995

103.156.237.71:443

176.44.119.153:443

181.56.171.3:995

151.251.50.117:443

163.182.177.80:443

104.202.220.123:443

41.101.92.195:443

190.193.180.228:443

190.204.112.207:2222

41.97.56.102:443

41.69.209.76:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\oslo\counteractively.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\oslo\counteractively.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3164
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 688
        3⤵
        • Program crash
        PID:4720
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2440 -ip 2440
    1⤵
      PID:4808

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2440-133-0x0000000002B90000-0x0000000002BB9000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2440-134-0x00000000027E0000-0x000000000280A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/2440-135-0x0000000002B90000-0x0000000002BB9000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2440-138-0x0000000002B90000-0x0000000002BB9000-memory.dmp

      Filesize

      164KB

      Download

    • memory/3164-137-0x0000000000850000-0x0000000000879000-memory.dmp

      Filesize

      164KB

      Download

    • memory/3164-139-0x0000000000850000-0x0000000000879000-memory.dmp

      Filesize

      164KB

      Download