Overview

overview

10

Static

static

Contract.lnk

windows7-x64

3

Contract.lnk

windows10-2004-x64

3

consorter/glows.cmd

windows7-x64

1

consorter/glows.cmd

windows10-2004-x64

1

consorter/...es.dll

windows7-x64

10

consorter/...es.dll

windows10-2004-x64

10

consorter/...al.cmd

windows7-x64

1

consorter/...al.cmd

windows10-2004-x64

1

Analysis

  • max time kernel
    159s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2022 16:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    consorter/serpentines.dll

  • Size

    354KB

  • MD5

    31d5ec699c144cac9a5008ee1d37b23e

  • SHA1

    66e1cfad3ec5e18b09b8713db25436fa2d9c1c62

  • SHA256

    b80777311d92848248416e98bd1fef3be924ff4a7856aa68263a396c52486db5

  • SHA512

    4faf3ee9c4da2a3528139f7a150cf27fd780f7b437f0899256534f2a35d0c057b079859e669b7cc1018eb665688d6f72c3222d5399407933fc2a400b571b38ad

  • SSDEEP

    6144:9NsacLpop/C9lIbtBMHkqmO+pefWoAw6hjSy/AACs98K/f+ZuDXKK8bTcTCaUlag:bs/tMrbQHt+ps4w6RcA3/2oXmbTdaU4g

Score
10/10
qakbotobama2201667373670bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.14

Botnet

obama220

Campaign

1667373670

C2

174.0.224.214:443

1.70.60.142:54792

74.33.84.227:443

1.175.205.2:13825

187.1.1.45:12681

190.24.45.24:995

1.50.68.204:18177

193.3.19.137:443

1.41.44.11:58115

73.165.119.20:443

58.247.115.126:995

1.84.35.26:3587

216.82.134.218:443

1.181.164.194:58369

187.1.1.74:23795

71.199.168.185:443

1.94.49.5:29697

187.0.1.108:11471

186.73.140.43:443

1.97.119.214:59649
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\consorter\serpentines.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3684
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\consorter\serpentines.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2096-132-0x0000000000000000-mapping.dmp
    Download
  • memory/2096-133-0x0000000001430000-0x000000000145C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/2096-134-0x0000000001460000-0x000000000148A000-memory.dmp
    Filesize

    168KB

    Download
  • memory/2096-136-0x0000000001460000-0x000000000148A000-memory.dmp
    Filesize

    168KB

    Download
  • memory/2216-135-0x0000000000000000-mapping.dmp
    Download
  • memory/2216-137-0x0000000000320000-0x000000000034A000-memory.dmp
    Filesize

    168KB

    Download
  • memory/2216-138-0x0000000000320000-0x000000000034A000-memory.dmp
    Filesize

    168KB

    Download