Overview

overview

10

Static

static

DV_9431.iso

windows7-x64

3

DV_9431.iso

windows10-2004-x64

3

DV.lnk

windows7-x64

10

DV.lnk

windows10-2004-x64

10

selectable...ed.cmd

windows7-x64

1

selectable...ed.cmd

windows10-2004-x64

1

selectable...ic.dll

windows7-x64

10

selectable...ic.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2022, 17:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    selectable/manometric.dll

  • Size

    421KB

  • MD5

    3d24e176ba2c968580092a4b98ff1145

  • SHA1

    5d6f63fbeae9ab2c625abfd34a01b15f882b8337

  • SHA256

    52e8a4d2509de652a27737602f2ba0775b2bc78ded2ee179caad136c38e27b23

  • SHA512

    dc33c64ceacf87d71acd4c43f067adc2f8db147832da0c35d3d74d545011a7662b5698e4f27b11703d827b366ecb945095252344b9732126912fb22016e0c494

  • SSDEEP

    6144:MkbHJhzU/Gr+acU2gqnEIzGOEBPepzn6WX1LB5QpK1K0we5itwWUT2AO7V:dheLacnx5dFBOpawe5iFF1V

Score
10/10
qakbotbb051667208499bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.14

Botnet

BB05

Campaign

1667208499

C2

174.77.209.5:443

187.0.1.74:23795

24.206.27.39:443

1.156.220.169:30723

156.216.39.119:995

58.186.75.42:443

1.156.197.160:30467

187.1.1.190:4844

186.18.210.16:443

1.181.56.171:771

90.165.109.4:2222

187.0.1.186:39742

87.57.13.215:443

187.0.1.207:52344

227.26.3.227:1

98.207.190.55:443

187.0.1.197:7017

188.49.56.189:443

102.156.160.115:443

187.0.1.24:17751
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\selectable\manometric.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\selectable\manometric.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1640-56-0x0000000075921000-0x0000000075923000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1640-57-0x0000000000250000-0x00000000002D0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1640-58-0x00000000001E0000-0x000000000020A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1640-61-0x00000000001E0000-0x000000000020A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1692-54-0x000007FEFC371000-0x000007FEFC373000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2036-62-0x0000000000080000-0x00000000000AA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2036-63-0x0000000000080000-0x00000000000AA000-memory.dmp

    Filesize

    168KB

    Download