Overview

overview

10

Static

static

KL.lnk

windows7-x64

10

KL.lnk

windows10-2004-x64

10

gatekeeper...ds.cmd

windows7-x64

1

gatekeeper...ds.cmd

windows10-2004-x64

1

gatekeeper...ly.cmd

windows7-x64

1

gatekeeper...ly.cmd

windows10-2004-x64

1

gatekeeper...ed.dll

windows7-x64

10

gatekeeper...ed.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    159s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01/11/2022, 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gatekeepers/wintered.dll

  • Size

    471KB

  • MD5

    f2820153a9d1408f462e66409be99590

  • SHA1

    8342712cbe3c55c5a4890ea72c2b0521894125e1

  • SHA256

    a7a1d2368811451f8d266d79a2726d3984b40b5dd753012de3098454e4b3f25c

  • SHA512

    8751d83517af32fb2f042ae1462b59965d95d9bf597ad3f4eda264f2995124a18841773175d60eb0174bd6798a9a300fe5a66a9ce4ce9e77c3147e407298c784

  • SSDEEP

    6144:rFdsFJ6i5gi6QFklGtnWf+ajAjM1ShS5p+ppsJv3DTIjF0HHGh/O98CbS3Om5djF:3KZklGtnyfgHCvQFyHM3Om51EtJkiI

Score
10/10
qakbotbb051667208499bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.14

Botnet

BB05

Campaign

1667208499

C2

174.77.209.5:443

187.0.1.74:23795

24.206.27.39:443

1.156.220.169:30723

156.216.39.119:995

58.186.75.42:443

1.156.197.160:30467

187.1.1.190:4844

186.18.210.16:443

1.181.56.171:771

90.165.109.4:2222

187.0.1.186:39742

87.57.13.215:443

187.0.1.207:52344

227.26.3.227:1

98.207.190.55:443

187.0.1.197:7017

188.49.56.189:443

102.156.160.115:443

187.0.1.24:17751
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\gatekeepers\wintered.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1012
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\gatekeepers\wintered.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1144
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1012-54-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1144-56-0x00000000763F1000-0x00000000763F3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1144-57-0x0000000000330000-0x00000000003B0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1144-58-0x0000000000240000-0x000000000026A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1144-59-0x0000000000330000-0x00000000003B0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1144-62-0x0000000000240000-0x000000000026A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1556-63-0x0000000000080000-0x00000000000AA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1556-64-0x0000000000080000-0x00000000000AA000-memory.dmp

    Filesize

    168KB

    Download