Overview

overview

10

Static

static

KL.lnk

windows7-x64

10

KL.lnk

windows10-2004-x64

10

recoloring...me.dll

windows7-x64

10

recoloring...me.dll

windows10-2004-x64

10

recoloring/purrs.cmd

windows7-x64

1

recoloring/purrs.cmd

windows10-2004-x64

1

recoloring...ed.cmd

windows7-x64

1

recoloring...ed.cmd

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2022 08:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    recoloring/dolesome.dll

  • Size

    483KB

  • MD5

    aa613d31dc7d0fb141d17b0c8ffd38b3

  • SHA1

    1d1bd4cc6ba9082a00b30a9ed3e010aa2d0d6c0d

  • SHA256

    de39a0517470d1958cb53fa62bf239be2d9125f35282ad625d3a6865ba13d831

  • SHA512

    ef2f97448f56ba913b78516f96bdef6b0c56876ba4bfbc1822963c26a4dc2fd84c970ecafd932f52397c0dfd8f95fb5411674eb66bc073c29edddf97f43f62c6

  • SSDEEP

    12288:mIQG2dEYsv2gJEXE1DMv9/rsGPDp7Odk4:9s0pMVtPD1Q

Score
10/10
qakbotbb051667208499bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.14

Botnet

BB05

Campaign

1667208499

C2

174.77.209.5:443

187.0.1.74:23795

24.206.27.39:443

1.156.220.169:30723

156.216.39.119:995

58.186.75.42:443

1.156.197.160:30467

187.1.1.190:4844

186.18.210.16:443

1.181.56.171:771

90.165.109.4:2222

187.0.1.186:39742

87.57.13.215:443

187.0.1.207:52344

227.26.3.227:1

98.207.190.55:443

187.0.1.197:7017

188.49.56.189:443

102.156.160.115:443

187.0.1.24:17751
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\recoloring\dolesome.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\recoloring\dolesome.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4724
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1240-135-0x0000000000000000-mapping.dmp

    Download

  • memory/1240-137-0x0000000000130000-0x000000000015A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1240-138-0x0000000000130000-0x000000000015A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4724-132-0x0000000000000000-mapping.dmp

    Download

  • memory/4724-133-0x0000000002EE0000-0x0000000002F52000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4724-134-0x00000000013B0000-0x00000000013DA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4724-136-0x00000000013B0000-0x00000000013DA000-memory.dmp

    Filesize

    168KB

    Download