Overview

overview

10

Static

static

KL.lnk

windows7-x64

10

KL.lnk

windows10-2004-x64

10

tights/gua...ng.cmd

windows7-x64

1

tights/gua...ng.cmd

windows10-2004-x64

1

tights/mandible.dll

windows7-x64

10

tights/mandible.dll

windows10-2004-x64

10

tights/surgeries.cmd

windows7-x64

1

tights/surgeries.cmd

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2022 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tights/mandible.dll

  • Size

    421KB

  • MD5

    2720f95a07be909773be386c354f489f

  • SHA1

    ee1336d4c58feda3922ab671180d327eb045df8b

  • SHA256

    f27c6f661babb56dc6643c1cc2f947e8e138a0a578b90ebcc71ba2300f48f0f3

  • SHA512

    d3a49bc6025aa598306ff020259cf2059ec327dc306f646d3f440be6c16abbc674b048224f5cc93435abd909446b954da5147263a81df02a10cfdec147404b9a

  • SSDEEP

    12288:Pkpde329VEdv++607q6YP4uo7N9wIegv8JowUShUPw:Pudy29ChzEooQ0Uw

Score
10/10
qakbotbb051667294768bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.20

Botnet

BB05

Campaign

1667294768

C2

136.232.184.134:995

1.65.20.175:53249

187.0.1.154:63263

50.68.204.71:995

74.92.243.113:50000

1.149.126.159:57345

187.0.1.182:17093

123.3.240.16:995

76.68.34.167:2222

172.219.147.156:3389

94.49.5.116:443

187.0.1.181:14507

206.1.223.234:2087

187.0.1.186:18828

131.23.1.187:1

23.233.254.195:443

76.125.91.160:443

187.0.1.90:42349

70.51.139.148:2222

187.0.1.76:47526
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tights\mandible.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\tights\mandible.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1312-132-0x0000000000000000-mapping.dmp

    Download

  • memory/1312-133-0x0000000000840000-0x000000000086C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1312-134-0x0000000000870000-0x000000000089A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1312-136-0x0000000000870000-0x000000000089A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3600-135-0x0000000000000000-mapping.dmp

    Download

  • memory/3600-137-0x00000000006F0000-0x000000000071A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3600-138-0x00000000006F0000-0x000000000071A000-memory.dmp

    Filesize

    168KB

    Download