Analysis

  • max time kernel
    151s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2022, 10:18

General

  • Target

    nequ_020B0000.bin.dll

  • Size

    2.1MB

  • MD5

    b12e01985b5daecc58d7cec5b37462ed

  • SHA1

    a8654d9b674a330db1f0c8881d678687ab53a0b7

  • SHA256

    012747575632a83c77d73b90450612446664d78c5a6a1af082c5da1485f6e9e1

  • SHA512

    069685718c6ba4737fd9fb97dc1c36aad80fa75cab171ee88b1cddb145107798a21f53812d1c3483eb6548a1b1ad64bbda5cdc6f08ce1aa46540146379b055f3

  • SSDEEP

    49152:SWZ5HwJW2sYVMxHqAHIferky/njn/r8CU36+eRNl:SWZ5HwJDdVCQerRjn/rZU3KR

Malware Config

Extracted

Family

qakbot

Version

404.62

Botnet

BB11

Campaign

1671561386

C2

184.68.116.146:3389

92.189.214.236:2222

73.29.92.128:443

92.239.81.124:443

47.203.227.114:443

199.83.165.233:443

12.172.173.82:995

12.172.173.82:50001

136.244.25.165:443

37.15.128.31:2222

91.96.249.3:443

92.27.86.48:2222

75.156.125.215:995

93.147.134.85:443

86.176.246.195:2222

89.129.109.27:2222

70.55.120.16:2222

50.67.17.92:443

78.92.133.215:443

190.100.149.122:995

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Loads dropped DLL 1 IoCs
  • Runs ping.exe 1 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\nequ_020B0000.bin.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\nequ_020B0000.bin.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Roaming\nnvuaunqzezko.dll",Updt
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4836
        • C:\Windows\SysWOW64\wermgr.exe
          C:\Windows\SysWOW64\wermgr.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4688
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c C:\Users\Admin\AppData\Roaming\nnvuaunqzezko.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2284
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:4268
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:4720
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:2448
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:400
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:3080
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:2224
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:3616
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:3496
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:4536
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:1628

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\nnvuaunqzezko.bat

          Filesize

          152B

          MD5

          761133c5c6e784c5c0fd4aaa2a5ff098

          SHA1

          ca026ff9f9b72e474bb2b7c6d13482f70d633f85

          SHA256

          cb11cb8ab32947189ba764189506789bcb73cc3355f9f40f74944a1fe60f5477

          SHA512

          8a5461bafcda1e5bffe4b104c9c272c3d5ca3f198b1655abf9f55c48aa970a6ec5b7da815f6a7d941f98a512fca1b448a0948f40678e43fcce8198753cc2a609

        • C:\Users\Admin\AppData\Roaming\nnvuaunqzezko.dll

          Filesize

          2.0MB

          MD5

          be8307c97004a2cebabfade41c6bcdba

          SHA1

          adf76bafee3a191169217a039b1bbae08786acb0

          SHA256

          2a009bea32f5c812417d8c9d91bd06f0b10e877356a82930a87dbdfb3f4a705e

          SHA512

          f96cef3c2f6b64f381392443e14aafedec43285e7d0c335f28b88fdd7b9a5e13311a113a024dcfcf4ccc0b2f9a58bac01a22137d3077b684ab6643a4289d8609

        • C:\Users\Admin\AppData\Roaming\nnvuaunqzezko.dll

          Filesize

          2.0MB

          MD5

          be8307c97004a2cebabfade41c6bcdba

          SHA1

          adf76bafee3a191169217a039b1bbae08786acb0

          SHA256

          2a009bea32f5c812417d8c9d91bd06f0b10e877356a82930a87dbdfb3f4a705e

          SHA512

          f96cef3c2f6b64f381392443e14aafedec43285e7d0c335f28b88fdd7b9a5e13311a113a024dcfcf4ccc0b2f9a58bac01a22137d3077b684ab6643a4289d8609

        • memory/4688-152-0x0000000000790000-0x00000000007BA000-memory.dmp

          Filesize

          168KB

        • memory/4688-140-0x0000000000790000-0x00000000007BA000-memory.dmp

          Filesize

          168KB

        • memory/4836-136-0x00000000023B0000-0x0000000002423000-memory.dmp

          Filesize

          460KB

        • memory/4836-137-0x0000000002560000-0x000000000258A000-memory.dmp

          Filesize

          168KB

        • memory/4836-139-0x0000000002560000-0x000000000258A000-memory.dmp

          Filesize

          168KB