Overview

overview

10

Static

static

KL.lnk

windows7-x64

10

KL.lnk

windows10-2004-x64

10

recoloring...me.dll

windows7-x64

10

recoloring...me.dll

windows10-2004-x64

10

recoloring/purrs.cmd

windows7-x64

1

recoloring/purrs.cmd

windows10-2004-x64

1

recoloring...ed.cmd

windows7-x64

1

recoloring...ed.cmd

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02/11/2022, 08:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    recoloring/dolesome.dll

  • Size

    483KB

  • MD5

    aa613d31dc7d0fb141d17b0c8ffd38b3

  • SHA1

    1d1bd4cc6ba9082a00b30a9ed3e010aa2d0d6c0d

  • SHA256

    de39a0517470d1958cb53fa62bf239be2d9125f35282ad625d3a6865ba13d831

  • SHA512

    ef2f97448f56ba913b78516f96bdef6b0c56876ba4bfbc1822963c26a4dc2fd84c970ecafd932f52397c0dfd8f95fb5411674eb66bc073c29edddf97f43f62c6

  • SSDEEP

    12288:mIQG2dEYsv2gJEXE1DMv9/rsGPDp7Odk4:9s0pMVtPD1Q

Score
10/10
qakbotbb051667208499bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.14

Botnet

BB05

Campaign

1667208499

C2

174.77.209.5:443

187.0.1.74:23795

24.206.27.39:443

1.156.220.169:30723

156.216.39.119:995

58.186.75.42:443

1.156.197.160:30467

187.1.1.190:4844

186.18.210.16:443

1.181.56.171:771

90.165.109.4:2222

187.0.1.186:39742

87.57.13.215:443

187.0.1.207:52344

227.26.3.227:1

98.207.190.55:443

187.0.1.197:7017

188.49.56.189:443

102.156.160.115:443

187.0.1.24:17751
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\recoloring\dolesome.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\recoloring\dolesome.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:876
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/536-54-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

    Filesize

    8KB

    Download

  • memory/552-62-0x0000000000080000-0x00000000000AA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/552-63-0x0000000000080000-0x00000000000AA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/876-56-0x0000000075B11000-0x0000000075B13000-memory.dmp

    Filesize

    8KB

    Download

  • memory/876-57-0x00000000003D0000-0x0000000000450000-memory.dmp

    Filesize

    512KB

    Download

  • memory/876-58-0x0000000000450000-0x000000000047A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/876-61-0x0000000000450000-0x000000000047A000-memory.dmp

    Filesize

    168KB

    Download