Analysis

  • max time kernel
    150s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2022, 03:26

General

  • Target

    36398a8aa94465823750bf32568fa77ff9ffbc15b07ad6460d6d913b1b5bae78.dll

  • Size

    2.0MB

  • MD5

    f76b8f1ba89287fb64595504e7770939

  • SHA1

    87125c6dbc8631a4cbf788f009785cd237996bd8

  • SHA256

    36398a8aa94465823750bf32568fa77ff9ffbc15b07ad6460d6d913b1b5bae78

  • SHA512

    e2405502eae2a97e67751cc5de09144d5c4fd538186260d85d172defe496dd3743675775b34aea33efd54dc4787e57921dfce9c9e55ff5432f144cf59566143c

  • SSDEEP

    49152:jDG9pmVnnyKKdmwLxSMKmc2qgI9Mprlcuhz6:vVVnnP8XLQL2q1YSu

Malware Config

Extracted

Family

qakbot

Version

404.62

Botnet

BB11

Campaign

1671561386

C2

184.68.116.146:3389

92.189.214.236:2222

73.29.92.128:443

92.239.81.124:443

47.203.227.114:443

199.83.165.233:443

12.172.173.82:995

12.172.173.82:50001

136.244.25.165:443

37.15.128.31:2222

91.96.249.3:443

92.27.86.48:2222

75.156.125.215:995

93.147.134.85:443

86.176.246.195:2222

89.129.109.27:2222

70.55.120.16:2222

50.67.17.92:443

78.92.133.215:443

190.100.149.122:995

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\36398a8aa94465823750bf32568fa77ff9ffbc15b07ad6460d6d913b1b5bae78.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\36398a8aa94465823750bf32568fa77ff9ffbc15b07ad6460d6d913b1b5bae78.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1472

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1472-61-0x00000000000D0000-0x00000000000FA000-memory.dmp

          Filesize

          168KB

        • memory/1472-62-0x00000000000D0000-0x00000000000FA000-memory.dmp

          Filesize

          168KB

        • memory/1584-55-0x0000000075681000-0x0000000075683000-memory.dmp

          Filesize

          8KB

        • memory/1584-56-0x0000000000370000-0x00000000003E3000-memory.dmp

          Filesize

          460KB

        • memory/1584-57-0x00000000003F0000-0x000000000041A000-memory.dmp

          Filesize

          168KB

        • memory/1584-60-0x00000000003F0000-0x000000000041A000-memory.dmp

          Filesize

          168KB