Overview

overview

10

Static

static

DV_7727.iso

windows7-x64

3

DV_7727.iso

windows10-2004-x64

3

DV.lnk

windows7-x64

10

DV.lnk

windows10-2004-x64

10

selectable/jagged.cmd

windows7-x64

1

selectable/jagged.cmd

windows10-2004-x64

1

selectable...ng.dll

windows7-x64

10

selectable...ng.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    186s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2022, 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    selectable/outstaying.dll

  • Size

    421KB

  • MD5

    4f65cf53d8d47db9b7af0b66ec131052

  • SHA1

    92fe338c650338d91546eff91ec5b272a9ac2565

  • SHA256

    68497fe4d9c25c38e9419c4d617a62fedbbe272ef2623c6d61d6794fb047338a

  • SHA512

    27e1cfa5e97a13c13c35f817c3163847150f1aadb256708017e6f2b9b5d1bb65368795665a44e6433004974a13420a272ed758341a9ed367c0b7070e6db6d041

  • SSDEEP

    6144:MkbHJhzU/Gr+acU2gqnEIzGOEBPepzn6WX1LB5QpK1K0we5itwWUTDAO7V:dheLacnx5dFBOpawe5iFw1V

Score
10/10
qakbotbb051667208499bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.14

Botnet

BB05

Campaign

1667208499

C2

174.77.209.5:443

187.0.1.74:23795

24.206.27.39:443

1.156.220.169:30723

156.216.39.119:995

58.186.75.42:443

1.156.197.160:30467

187.1.1.190:4844

186.18.210.16:443

1.181.56.171:771

90.165.109.4:2222

187.0.1.186:39742

87.57.13.215:443

187.0.1.207:52344

227.26.3.227:1

98.207.190.55:443

187.0.1.197:7017

188.49.56.189:443

102.156.160.115:443

187.0.1.24:17751
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\selectable\outstaying.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\selectable\outstaying.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4188
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4156-137-0x0000000001050000-0x000000000107A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4156-138-0x0000000001050000-0x000000000107A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4188-133-0x0000000002DE0000-0x0000000002E52000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4188-134-0x0000000002FB0000-0x0000000002FDA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4188-136-0x0000000002FB0000-0x0000000002FDA000-memory.dmp

    Filesize

    168KB

    Download