Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

Originals.lnk

windows7-x64

8

Originals.lnk

windows10-2004-x64

10

carcasses/muddler.cmd

windows7-x64

1

carcasses/muddler.cmd

windows10-2004-x64

1

carcasses/...ed.dll

windows7-x64

1

carcasses/...ed.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 13:45 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    carcasses/relocated.dll

  • Size

    561KB

  • MD5

    eb56bb9ae6f65fd905aed6a2eb6bf55d

  • SHA1

    1185bc1a7f9fbe3838725f1d771865ef9fe076c9

  • SHA256

    613fc48aa936c10c9e75ff6746e0405c1cdab68566d84cc46bb68e1bcb986aa0

  • SHA512

    7ed825b1afdc822bd0aea1faa971144d12b8ccda756d4b326c59aac09247b5008846fad4c64a4d46d3633548874c346feb6a01968056a8ec6f79bd9678cbf2f4

  • SSDEEP

    6144:ypIe6W8uc0KxlK9gpC1d88LKXLAOkuL9P5Qt6frqLwYzbn4NKToC2HD9qFmq:yptV8uc0KS9gpC1GI4v9PmgfKP1KJq

Score
10/10
qakbotbb031666073717bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.973

Botnet

BB03

Campaign

1666073717

C2

190.199.99.171:993

41.69.192.245:443

167.58.254.85:443

206.1.172.1:443

5.163.177.234:443

134.35.0.103:443

105.96.221.136:443

41.101.100.7:443

186.177.93.18:2222

78.179.135.247:443

177.205.74.14:2222

102.47.218.41:443

102.156.149.226:443

41.250.48.206:443

41.107.58.251:443

187.198.16.39:443

193.201.187.64:443

41.102.134.89:443

102.159.77.134:995

105.159.49.123:995
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\carcasses\relocated.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\carcasses\relocated.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:116

Network

  • flag-us
    DNS
    226.101.242.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    226.101.242.52.in-addr.arpa
    IN PTR
    Response
  • 93.184.221.240:80
    260 B
     5
  • 93.184.221.240:80
    260 B
     5
  • 40.79.141.153:443
    322 B
     7
  • 93.184.220.29:80
    322 B
     7
  • 40.126.31.73:443
    260 B
     5
  • 93.184.221.240:80
    322 B
     7
  • 8.8.8.8:53
    226.101.242.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    226.101.242.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/116-141-0x0000000000510000-0x0000000000539000-memory.dmp

    Filesize

    164KB

    Download

  • memory/116-142-0x0000000000510000-0x0000000000539000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1880-133-0x00000000750B0000-0x0000000075140000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1880-134-0x00000000750B0000-0x0000000075140000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1880-135-0x0000000002BC0000-0x0000000002C31000-memory.dmp

    Filesize

    452KB

    Download

  • memory/1880-136-0x0000000001450000-0x0000000001479000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1880-138-0x00000000750B0000-0x0000000075140000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1880-139-0x0000000001450000-0x0000000001479000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1880-140-0x0000000002BC0000-0x0000000002C31000-memory.dmp

    Filesize

    452KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.