Analysis

  • max time kernel
    150s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2022, 10:18

General

  • Target

    nequ_020B0000.bin.dll

  • Size

    2.1MB

  • MD5

    b12e01985b5daecc58d7cec5b37462ed

  • SHA1

    a8654d9b674a330db1f0c8881d678687ab53a0b7

  • SHA256

    012747575632a83c77d73b90450612446664d78c5a6a1af082c5da1485f6e9e1

  • SHA512

    069685718c6ba4737fd9fb97dc1c36aad80fa75cab171ee88b1cddb145107798a21f53812d1c3483eb6548a1b1ad64bbda5cdc6f08ce1aa46540146379b055f3

  • SSDEEP

    49152:SWZ5HwJW2sYVMxHqAHIferky/njn/r8CU36+eRNl:SWZ5HwJDdVCQerRjn/rZU3KR

Malware Config

Extracted

Family

qakbot

Version

404.62

Botnet

BB11

Campaign

1671561386

C2

184.68.116.146:3389

92.189.214.236:2222

73.29.92.128:443

92.239.81.124:443

47.203.227.114:443

199.83.165.233:443

12.172.173.82:995

12.172.173.82:50001

136.244.25.165:443

37.15.128.31:2222

91.96.249.3:443

92.27.86.48:2222

75.156.125.215:995

93.147.134.85:443

86.176.246.195:2222

89.129.109.27:2222

70.55.120.16:2222

50.67.17.92:443

78.92.133.215:443

190.100.149.122:995

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Loads dropped DLL 4 IoCs
  • Runs ping.exe 1 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\nequ_020B0000.bin.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\nequ_020B0000.bin.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Roaming\jnsqclsfxra.dll",Updt
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1736
        • C:\Windows\SysWOW64\wermgr.exe
          C:\Windows\SysWOW64\wermgr.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:992
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c C:\Users\Admin\AppData\Roaming\jnsqclsfxra.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1768
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:648
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:784
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:688
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:432
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:316
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:804
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:1380
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:1740
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:1636
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:744

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\jnsqclsfxra.bat

          Filesize

          152B

          MD5

          761133c5c6e784c5c0fd4aaa2a5ff098

          SHA1

          ca026ff9f9b72e474bb2b7c6d13482f70d633f85

          SHA256

          cb11cb8ab32947189ba764189506789bcb73cc3355f9f40f74944a1fe60f5477

          SHA512

          8a5461bafcda1e5bffe4b104c9c272c3d5ca3f198b1655abf9f55c48aa970a6ec5b7da815f6a7d941f98a512fca1b448a0948f40678e43fcce8198753cc2a609

        • C:\Users\Admin\AppData\Roaming\jnsqclsfxra.dll

          Filesize

          2.0MB

          MD5

          35dfa07872a3f66411c07c952c38e6a2

          SHA1

          4d73d0c3824cc3d2c4743c8df8d1f32ea32d7f90

          SHA256

          103c930565aea6c69e118a16d1618e1d34a816623efd549ed09161d00de4568a

          SHA512

          66ca19883bc3fb8d30845b66b910d16242eab856c98b7783c3cedd1dad9f08a0390686950814c39ed7dcb50012b4503c8026f13f723fdd2dd39c56054945860b

        • \Users\Admin\AppData\Roaming\jnsqclsfxra.dll

          Filesize

          2.0MB

          MD5

          35dfa07872a3f66411c07c952c38e6a2

          SHA1

          4d73d0c3824cc3d2c4743c8df8d1f32ea32d7f90

          SHA256

          103c930565aea6c69e118a16d1618e1d34a816623efd549ed09161d00de4568a

          SHA512

          66ca19883bc3fb8d30845b66b910d16242eab856c98b7783c3cedd1dad9f08a0390686950814c39ed7dcb50012b4503c8026f13f723fdd2dd39c56054945860b

        • \Users\Admin\AppData\Roaming\jnsqclsfxra.dll

          Filesize

          2.0MB

          MD5

          35dfa07872a3f66411c07c952c38e6a2

          SHA1

          4d73d0c3824cc3d2c4743c8df8d1f32ea32d7f90

          SHA256

          103c930565aea6c69e118a16d1618e1d34a816623efd549ed09161d00de4568a

          SHA512

          66ca19883bc3fb8d30845b66b910d16242eab856c98b7783c3cedd1dad9f08a0390686950814c39ed7dcb50012b4503c8026f13f723fdd2dd39c56054945860b

        • \Users\Admin\AppData\Roaming\jnsqclsfxra.dll

          Filesize

          2.0MB

          MD5

          35dfa07872a3f66411c07c952c38e6a2

          SHA1

          4d73d0c3824cc3d2c4743c8df8d1f32ea32d7f90

          SHA256

          103c930565aea6c69e118a16d1618e1d34a816623efd549ed09161d00de4568a

          SHA512

          66ca19883bc3fb8d30845b66b910d16242eab856c98b7783c3cedd1dad9f08a0390686950814c39ed7dcb50012b4503c8026f13f723fdd2dd39c56054945860b

        • \Users\Admin\AppData\Roaming\jnsqclsfxra.dll

          Filesize

          2.0MB

          MD5

          35dfa07872a3f66411c07c952c38e6a2

          SHA1

          4d73d0c3824cc3d2c4743c8df8d1f32ea32d7f90

          SHA256

          103c930565aea6c69e118a16d1618e1d34a816623efd549ed09161d00de4568a

          SHA512

          66ca19883bc3fb8d30845b66b910d16242eab856c98b7783c3cedd1dad9f08a0390686950814c39ed7dcb50012b4503c8026f13f723fdd2dd39c56054945860b

        • memory/540-55-0x0000000076171000-0x0000000076173000-memory.dmp

          Filesize

          8KB

        • memory/992-80-0x0000000000080000-0x00000000000AA000-memory.dmp

          Filesize

          168KB

        • memory/992-81-0x0000000000080000-0x00000000000AA000-memory.dmp

          Filesize

          168KB

        • memory/1736-63-0x0000000000880000-0x00000000008F3000-memory.dmp

          Filesize

          460KB

        • memory/1736-64-0x00000000001F0000-0x000000000021A000-memory.dmp

          Filesize

          168KB

        • memory/1736-79-0x00000000001F0000-0x000000000021A000-memory.dmp

          Filesize

          168KB