Overview

overview

10

Static

static

20221018/8...f4.lnk

windows7-x64

3

20221018/8...f4.lnk

windows10-2004-x64

3

20221018/8...f4.zip

windows7-x64

1

20221018/8...f4.zip

windows10-2004-x64

1

20221018/C...38.iso

windows7-x64

3

20221018/C...38.iso

windows10-2004-x64

3

Calculation.lnk

windows7-x64

10

Calculation.lnk

windows10-2004-x64

10

vertices/bismuth.cmd

windows7-x64

1

vertices/bismuth.cmd

windows10-2004-x64

1

vertices/emitting.dll

windows7-x64

10

vertices/emitting.dll

windows10-2004-x64

10

vertices/why.txt

windows7-x64

1

vertices/why.txt

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2022, 16:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vertices/emitting.dll

  • Size

    584KB

  • MD5

    910babe0c1d795ae4f11d18a5150e052

  • SHA1

    5683ba7e61af0a15c2bd3b53e641b48a9a90a680

  • SHA256

    23d257fc39de3d8f4cf971b71d4701e428cbe12ca0bb554cf88c1639c0bbf74c

  • SHA512

    31a97eb4222a9bcc491f5598bbdbca0fae78911ba4c2de3baee240f0c1e288e0c473576c6f297c3e8153e0d09706ddd3a4557136005e626c3f7261ca04d52127

  • SSDEEP

    12288:HZBs6eUwpkdFC7dStewcZWOcR9rXugaJJkPcpF:5+UwWFew2Dlk

Score
10/10
qakbotobama2141666019778bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.973

Botnet

obama214

Campaign

1666019778

C2

105.96.221.136:443

37.37.80.2:3389

105.154.56.232:995

41.107.116.19:443

105.103.52.189:443

159.192.204.135:443

41.107.58.251:443

177.152.65.142:443

102.47.218.41:443

176.45.35.243:443

70.173.248.13:443

102.159.77.134:995

220.123.29.76:443

82.12.196.197:443

103.156.237.71:443

149.126.159.254:443

176.44.119.153:443

181.56.171.3:995

190.205.229.67:2222

151.251.50.117:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\vertices\emitting.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\vertices\emitting.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1160-56-0x00000000762E1000-0x00000000762E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1160-57-0x00000000001F0000-0x0000000000219000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1160-58-0x00000000001F0000-0x0000000000219000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1160-59-0x00000000001C0000-0x0000000000240000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1160-60-0x00000000001C0000-0x0000000000240000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1160-61-0x00000000001C0000-0x0000000000240000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1284-54-0x000007FEFC211000-0x000007FEFC213000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1300-64-0x0000000000080000-0x00000000000A9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1300-65-0x0000000000080000-0x00000000000A9000-memory.dmp

    Filesize

    164KB

    Download