Overview

overview

10

Static

static

Contract.lnk

windows7-x64

10

Contract.lnk

windows10-2004-x64

10

liveried/sufferer.dll

windows7-x64

10

liveried/sufferer.dll

windows10-2004-x64

10

liveried/waddling.cmd

windows7-x64

1

liveried/waddling.cmd

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-10-2022 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    liveried/sufferer.dll

  • Size

    635KB

  • MD5

    93abfce1ae568066c23b308f58e1c42c

  • SHA1

    89d62453e3c9672171107246828667195852213a

  • SHA256

    72a39e72f4034223b2f51411424333bbf88f9e60cdb91494281eefa006416928

  • SHA512

    e7906b73155c861697a6aaf121b4238f574b6c4535614a0fc0e6c90e9513988733e4748988c013bbf9440d49a2c6eaf246df7bb0df19d21204f99ae7f448d424

  • SSDEEP

    12288:Z5zUU6VCu0L4yCLtaNExGapWYKv38dy9XRHPh3M4B90U6Zt:fQhVCPnCoApOv3q2hxM4BKZ

Score
10/10
qakbotbb041666265103bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.1051

Botnet

BB04

Campaign

1666265103

C2

102.156.82.38:995

152.170.17.136:443

216.131.22.236:995

70.173.248.13:443

14.246.151.175:443

160.179.32.101:995

118.175.242.26:995

186.188.80.202:443

41.69.181.145:443

156.220.14.160:993

201.68.209.47:32101

206.1.172.1:443

156.217.185.90:995

190.74.4.20:443

217.78.49.161:443

154.181.199.80:995

200.233.108.153:993

175.205.2.54:443

198.2.51.242:993

181.164.194.228:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\liveried\sufferer.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4744
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\liveried\sufferer.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2360
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 700
        3⤵
        • Program crash
        PID:1872
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1456 -ip 1456
    1⤵
      PID:1172

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1456-133-0x0000000003370000-0x0000000003399000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1456-134-0x0000000003310000-0x0000000003339000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1456-135-0x0000000003370000-0x0000000003399000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1456-138-0x0000000003370000-0x0000000003399000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2360-137-0x0000000000800000-0x0000000000829000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2360-139-0x0000000000800000-0x0000000000829000-memory.dmp

      Filesize

      164KB

      Download