Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2022, 03:26

General

  • Target

    36398a8aa94465823750bf32568fa77ff9ffbc15b07ad6460d6d913b1b5bae78.dll

  • Size

    2.0MB

  • MD5

    f76b8f1ba89287fb64595504e7770939

  • SHA1

    87125c6dbc8631a4cbf788f009785cd237996bd8

  • SHA256

    36398a8aa94465823750bf32568fa77ff9ffbc15b07ad6460d6d913b1b5bae78

  • SHA512

    e2405502eae2a97e67751cc5de09144d5c4fd538186260d85d172defe496dd3743675775b34aea33efd54dc4787e57921dfce9c9e55ff5432f144cf59566143c

  • SSDEEP

    49152:jDG9pmVnnyKKdmwLxSMKmc2qgI9Mprlcuhz6:vVVnnP8XLQL2q1YSu

Malware Config

Extracted

Family

qakbot

Version

404.62

Botnet

BB11

Campaign

1671561386

C2

184.68.116.146:3389

92.189.214.236:2222

73.29.92.128:443

92.239.81.124:443

47.203.227.114:443

199.83.165.233:443

12.172.173.82:995

12.172.173.82:50001

136.244.25.165:443

37.15.128.31:2222

91.96.249.3:443

92.27.86.48:2222

75.156.125.215:995

93.147.134.85:443

86.176.246.195:2222

89.129.109.27:2222

70.55.120.16:2222

50.67.17.92:443

78.92.133.215:443

190.100.149.122:995

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\36398a8aa94465823750bf32568fa77ff9ffbc15b07ad6460d6d913b1b5bae78.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\36398a8aa94465823750bf32568fa77ff9ffbc15b07ad6460d6d913b1b5bae78.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:544
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3068

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/544-133-0x0000000002C20000-0x0000000002C93000-memory.dmp

          Filesize

          460KB

        • memory/544-134-0x0000000002CD0000-0x0000000002CFA000-memory.dmp

          Filesize

          168KB

        • memory/544-137-0x0000000002CD0000-0x0000000002CFA000-memory.dmp

          Filesize

          168KB

        • memory/3068-136-0x00000000003B0000-0x00000000003DA000-memory.dmp

          Filesize

          168KB

        • memory/3068-138-0x00000000003B0000-0x00000000003DA000-memory.dmp

          Filesize

          168KB