Overview

overview

10

Static

static

SS.lnk

windows7-x64

3

SS.lnk

windows10-2004-x64

3

pressuriza...ng.cmd

windows7-x64

1

pressuriza...ng.cmd

windows10-2004-x64

1

pressuriza...ns.bat

windows7-x64

1

pressuriza...ns.bat

windows10-2004-x64

1

pressuriza...es.dll

windows7-x64

10

pressuriza...es.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2022 01:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pressurization/utterances.dll

  • Size

    755KB

  • MD5

    6dd98a3f69a713586942d5500ff901f6

  • SHA1

    ee073bdd8e3ece7fe01057babf7df37c377e9deb

  • SHA256

    df8a71a12186d85f1fae3f778c780f4c6a3ee9f9671ba323597c23a59819baf9

  • SHA512

    d33f7936042b11c243057c33f5fe693cb21560f2ee20e03c9460d581915c076c84803da2dd2b9b76c7743329ba0f601a88081fa3d7deacb4d7d3060c8f4fd509

  • SSDEEP

    12288:FN53TigGAAaYOjrtguXsmPKtbKgvAAfRcJtjm/1k+Yuqd7pJeG5mCuq6vU6Pm:FHDiTF6jT5GKg3J8MdYum7p8NCuPvU6e

Score
10/10
qakbotbb051667470599bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.20

Botnet

BB05

Campaign

1667470599

C2

181.118.183.103:443

92.239.81.124:443

174.58.146.57:443

73.223.248.31:443

86.129.13.178:2222

47.34.30.133:443

89.216.114.179:443

41.44.11.227:995

66.180.227.170:2222

46.229.194.17:443

190.74.248.136:443

88.122.208.197:32100

78.161.38.242:443

89.115.196.99:443

174.0.224.214:443

175.205.2.54:443

136.232.184.134:995

213.194.234.75:995

105.154.112.77:443

174.104.184.149:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\pressurization\utterances.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3884
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\pressurization\utterances.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2692
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 700
        3⤵
        • Program crash
        PID:3424
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2692 -ip 2692
    1⤵
      PID:3980

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2692-132-0x0000000000000000-mapping.dmp

      Download

    • memory/2692-133-0x00000000032F0000-0x000000000331A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/2692-134-0x0000000003290000-0x00000000032BD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2692-135-0x00000000032F0000-0x000000000331A000-memory.dmp

      Filesize

      168KB

      Download