Overview

overview

10

Static

static

clowns.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    177s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    clowns.zip

  • Size

    521KB

  • MD5

    d5b6b80e0f49eb42a3795233bbcc4116

  • SHA1

    f256f9628270b9148849ce1b4ccf0ae8222fe2d3

  • SHA256

    0c2d4e014e92d46b8f5db3aea01886c6d8daabace0b27bef50676d785080621c

  • SHA512

    4c4075d8367b4469cc3988fe5a437ed79fe72322427a12e5e83168def47fc83412b31fc06bcb59e24819b55a10631cad5116ccbe8141120541fad037b9a23dd9

  • SSDEEP

    12288:WCqTVMB6Wf4FgM6dyXMz9/38ATaZDk7rqVc1W277a0mZPa:TeVjYM6sXG8ATalTio0a0mE

Score
10/10
qakbotbb071669135035bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.31

Botnet

BB07

Campaign

1669135035

C2

41.62.42.255:443

212.54.207.42:995

73.161.176.218:443

50.68.204.71:443

80.103.77.44:2222

24.142.218.202:443

66.191.69.18:995

97.93.192.2:2083

89.115.196.99:443

136.35.241.159:443

194.166.91.255:443

12.172.173.82:22

84.209.52.11:443

50.68.204.71:993

64.228.191.212:2222

46.176.180.15:995

109.218.104.206:2222

91.254.215.167:443

176.151.15.101:443

41.98.228.100:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\clowns.zip
    1⤵
      PID:4688
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2180
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\clowns\run.bat" "
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4064
        • C:\Windows\system32\rundll32.exe
          rundll32 cocking.temp,DrawThemeIcon
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3648
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 cocking.temp,DrawThemeIcon
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1952
            • C:\Windows\SysWOW64\wermgr.exe
              C:\Windows\SysWOW64\wermgr.exe
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1500

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1500-136-0x0000000000000000-mapping.dmp

        Download

      • memory/1500-138-0x0000000001030000-0x000000000105A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/1500-139-0x0000000001030000-0x000000000105A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/1952-133-0x0000000000000000-mapping.dmp

        Download

      • memory/1952-134-0x00000000032B0000-0x0000000003323000-memory.dmp

        Filesize

        460KB

        Download

      • memory/1952-135-0x0000000003360000-0x000000000338A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/1952-137-0x0000000003360000-0x000000000338A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/3648-132-0x0000000000000000-mapping.dmp

        Download