Analysis

  • max time kernel
    321s
  • max time network
    327s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 19:28

General

  • Target

    verify.dll

  • Size

    374KB

  • MD5

    825aa87ffbc7e0e064088c051b5fbc14

  • SHA1

    eeee61f8e50b036ce6ad393444645c66395e719f

  • SHA256

    cc1b453ef566a77c6fb1739e8654789214870e97ee742044c9d0ce76032b283a

  • SHA512

    1c24da6d0c8a783b9982a12c276e090d8d9efe3188c593f847d2bdc2e047c0635770aa5dc6c904b0e03063b3b59746d7e44b28824bb056d7429baf8210ba7af2

  • SSDEEP

    6144:XKR66t98Uah1oq7PbQIIJSLiyCE0taaRIC6w/9IuFK+20m6WdMxgYURpi92H4X:w6E1YF7P01JSdCLjqa/9iNdMxgligH8

Malware Config

Extracted

Family

qakbot

Version

404.30

Botnet

obama223

Campaign

1668757345

C2

68.47.128.161:443

87.65.160.87:995

172.90.139.138:2222

86.175.128.143:443

12.172.173.82:465

71.247.10.63:2083

47.41.154.250:443

91.254.215.167:443

71.31.101.183:443

81.229.117.95:2222

24.4.239.157:443

41.99.177.175:443

92.149.205.238:2222

73.230.28.7:443

47.229.96.60:443

186.188.2.193:443

174.112.25.29:2078

84.35.26.14:995

86.130.9.167:2222

116.74.163.221:443

Attributes
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Suspicious behavior: EnumeratesProcesses ⋅ 64 IoCs
  • Suspicious behavior: MapViewOfSection ⋅ 1 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 8 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\verify.dll
    Suspicious use of WriteProcessMemory
    PID:4940
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\verify.dll
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        Suspicious behavior: EnumeratesProcesses
        PID:4124

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                        Privilege Escalation

                          Replay Monitor

                          00:00 00:00

                          Downloads

                          • memory/2208-132-0x0000000000000000-mapping.dmp
                          • memory/2208-133-0x00000000006E0000-0x000000000070E000-memory.dmp
                          • memory/2208-134-0x0000000000710000-0x000000000073A000-memory.dmp
                          • memory/2208-136-0x0000000000710000-0x000000000073A000-memory.dmp
                          • memory/4124-135-0x0000000000000000-mapping.dmp
                          • memory/4124-137-0x0000000000B80000-0x0000000000BAA000-memory.dmp
                          • memory/4124-138-0x0000000000B80000-0x0000000000BAA000-memory.dmp