Overview

overview

10

Static

static

KL.lnk

windows7-x64

10

KL.lnk

windows10-2004-x64

10

tights/gua...ng.cmd

windows7-x64

1

tights/gua...ng.cmd

windows10-2004-x64

1

tights/mandible.dll

windows7-x64

10

tights/mandible.dll

windows10-2004-x64

10

tights/surgeries.cmd

windows7-x64

1

tights/surgeries.cmd

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01/11/2022, 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tights/mandible.dll

  • Size

    421KB

  • MD5

    2720f95a07be909773be386c354f489f

  • SHA1

    ee1336d4c58feda3922ab671180d327eb045df8b

  • SHA256

    f27c6f661babb56dc6643c1cc2f947e8e138a0a578b90ebcc71ba2300f48f0f3

  • SHA512

    d3a49bc6025aa598306ff020259cf2059ec327dc306f646d3f440be6c16abbc674b048224f5cc93435abd909446b954da5147263a81df02a10cfdec147404b9a

  • SSDEEP

    12288:Pkpde329VEdv++607q6YP4uo7N9wIegv8JowUShUPw:Pudy29ChzEooQ0Uw

Score
10/10
qakbotbb051667294768bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.20

Botnet

BB05

Campaign

1667294768

C2

136.232.184.134:995

1.65.20.175:53249

187.0.1.154:63263

50.68.204.71:995

74.92.243.113:50000

1.149.126.159:57345

187.0.1.182:17093

123.3.240.16:995

76.68.34.167:2222

172.219.147.156:3389

94.49.5.116:443

187.0.1.181:14507

206.1.223.234:2087

187.0.1.186:18828

131.23.1.187:1

23.233.254.195:443

76.125.91.160:443

187.0.1.90:42349

70.51.139.148:2222

187.0.1.76:47526
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tights\mandible.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\tights\mandible.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/864-54-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1252-64-0x0000000000080000-0x00000000000AA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1252-65-0x0000000000080000-0x00000000000AA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1884-56-0x0000000076321000-0x0000000076323000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1884-57-0x0000000000370000-0x000000000039A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1884-58-0x0000000000370000-0x000000000039A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1884-59-0x0000000000200000-0x000000000022C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1884-60-0x0000000000370000-0x00000000003F0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1884-63-0x0000000000370000-0x000000000039A000-memory.dmp

    Filesize

    168KB

    Download