Overview

overview

10

Static

static

Originals.lnk

windows7-x64

8

Originals.lnk

windows10-2004-x64

10

carcasses/muddler.cmd

windows7-x64

1

carcasses/muddler.cmd

windows10-2004-x64

1

carcasses/...ed.dll

windows7-x64

1

carcasses/...ed.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-10-2022 13:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    carcasses/relocated.dll

  • Size

    561KB

  • MD5

    eb56bb9ae6f65fd905aed6a2eb6bf55d

  • SHA1

    1185bc1a7f9fbe3838725f1d771865ef9fe076c9

  • SHA256

    613fc48aa936c10c9e75ff6746e0405c1cdab68566d84cc46bb68e1bcb986aa0

  • SHA512

    7ed825b1afdc822bd0aea1faa971144d12b8ccda756d4b326c59aac09247b5008846fad4c64a4d46d3633548874c346feb6a01968056a8ec6f79bd9678cbf2f4

  • SSDEEP

    6144:ypIe6W8uc0KxlK9gpC1d88LKXLAOkuL9P5Qt6frqLwYzbn4NKToC2HD9qFmq:yptV8uc0KS9gpC1GI4v9PmgfKP1KJq

Score
10/10
qakbotbb031666073717bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.973

Botnet

BB03

Campaign

1666073717

C2

190.199.99.171:993

41.69.192.245:443

167.58.254.85:443

206.1.172.1:443

5.163.177.234:443

134.35.0.103:443

105.96.221.136:443

41.101.100.7:443

186.177.93.18:2222

78.179.135.247:443

177.205.74.14:2222

102.47.218.41:443

102.156.149.226:443

41.250.48.206:443

41.107.58.251:443

187.198.16.39:443

193.201.187.64:443

41.102.134.89:443

102.159.77.134:995

105.159.49.123:995
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\carcasses\relocated.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\carcasses\relocated.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/116-141-0x0000000000510000-0x0000000000539000-memory.dmp

    Filesize

    164KB

    Download

  • memory/116-142-0x0000000000510000-0x0000000000539000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1880-133-0x00000000750B0000-0x0000000075140000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1880-134-0x00000000750B0000-0x0000000075140000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1880-135-0x0000000002BC0000-0x0000000002C31000-memory.dmp

    Filesize

    452KB

    Download

  • memory/1880-136-0x0000000001450000-0x0000000001479000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1880-138-0x00000000750B0000-0x0000000075140000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1880-139-0x0000000001450000-0x0000000001479000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1880-140-0x0000000002BC0000-0x0000000002C31000-memory.dmp

    Filesize

    452KB

    Download