Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
07/01/2023, 13:26
Static task
static1
Behavioral task
behavioral1
Sample
packed_qbot.dll
Resource
win7-20220901-en
General
-
Target
packed_qbot.dll
-
Size
1.4MB
-
MD5
d586a82d0083540a98b3285f95c1d94e
-
SHA1
40f1462b7a5394b59fb595bf5b44a94862f54f63
-
SHA256
2c6697caf6ced04d06b0926d982c210a8cd300449b1b2423427a337486813316
-
SHA512
88683d5d5e854af9a50b7ca09a78b1b8a4c9cb36fb4f7854dee2d4de5fc0fe533e3f2fd5096ac1d1fdea1198877c47ea590287046337aa2dfea7fb07c61add1e
-
SSDEEP
24576:873YrrLEaF0tTHMjuX5PmnKUz3NL3BAYJWDJnh+idFsv3YgPmHFWcD:8n
Malware Config
Extracted
qakbot
403.549
obama174
1649228671
108.60.213.141:443
103.230.180.119:443
75.99.168.194:443
86.195.158.178:2222
72.76.94.99:443
96.21.251.127:2222
39.52.34.138:995
5.95.58.211:2087
140.82.49.12:443
31.215.185.114:2222
182.191.92.203:995
176.67.56.94:443
39.44.144.159:995
197.162.118.178:993
37.210.238.79:61202
203.122.46.130:443
148.64.96.100:443
94.36.195.250:2222
47.180.172.159:443
47.23.89.62:995
181.118.183.98:443
207.170.238.231:443
66.98.42.102:443
83.110.85.209:443
76.169.147.192:32103
172.115.177.204:2222
58.105.167.36:50000
46.107.48.202:443
105.226.83.196:995
93.48.80.198:995
103.107.113.120:443
24.43.99.75:443
80.11.74.81:2222
102.140.71.72:443
41.84.232.168:995
187.207.48.194:61202
113.11.89.165:995
75.99.168.194:61201
45.9.20.200:443
173.174.216.62:443
47.180.172.159:50010
208.107.221.224:443
121.74.178.16:995
119.158.126.69:995
83.110.75.97:2222
47.23.89.62:993
144.202.3.39:443
45.63.1.12:995
144.202.3.39:995
45.76.167.26:995
140.82.63.183:443
140.82.63.183:995
149.28.238.199:443
144.202.2.175:995
45.76.167.26:443
149.28.238.199:995
45.63.1.12:443
144.202.2.175:443
32.221.224.140:995
31.35.28.29:443
71.13.93.154:2222
81.215.196.174:443
78.161.215.162:443
176.88.238.122:995
83.110.85.209:995
202.134.152.2:2222
103.88.226.30:443
91.177.173.10:995
181.208.248.227:443
173.21.10.71:2222
39.49.81.128:995
176.205.119.81:2078
92.177.45.46:2078
41.228.22.180:443
2.50.137.197:443
70.46.220.114:443
172.114.160.81:995
67.209.195.198:443
24.178.196.158:2222
1.161.121.58:995
76.25.142.196:443
31.56.197.90:32103
117.248.109.38:21
120.61.1.185:443
197.87.144.193:443
217.128.122.65:2222
89.211.187.3:2222
63.143.92.99:995
92.154.9.41:2222
86.98.156.250:993
103.116.178.85:995
209.197.176.40:995
120.150.218.241:995
190.73.3.148:2222
76.69.155.202:2222
96.29.208.97:443
74.15.2.252:2222
76.70.9.169:2222
75.113.214.234:2222
86.98.208.214:2222
1.161.121.58:443
103.139.243.207:990
38.70.253.226:2222
75.188.35.168:443
71.74.12.34:443
174.69.215.101:443
144.136.35.102:2222
201.124.1.172:443
191.99.191.28:443
115.164.57.59:443
143.0.34.185:443
73.151.236.31:443
85.246.82.244:443
181.62.0.59:443
72.12.115.90:22
201.145.189.252:443
5.32.41.45:443
37.34.253.233:443
143.0.219.6:995
40.134.246.185:995
72.252.201.34:995
102.182.232.3:995
70.51.134.168:2222
189.178.44.144:22
190.252.242.69:443
187.102.135.142:2222
24.55.67.176:443
201.211.64.196:2222
90.120.65.153:2078
45.46.53.140:2222
70.57.207.83:443
109.12.111.14:443
98.22.246.169:443
179.158.105.44:443
47.156.191.217:443
72.252.201.34:990
191.17.223.93:32101
31.215.185.114:1194
191.112.29.181:443
187.250.114.15:443
86.220.98.71:2222
31.48.166.122:2078
82.152.39.39:443
79.129.121.68:995
41.38.167.179:995
41.107.251.69:443
109.228.220.196:443
125.24.187.209:443
41.230.62.211:993
102.159.243.5:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 1416 regsvr32.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1416 regsvr32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1496 wrote to memory of 1416 1496 regsvr32.exe 27 PID 1496 wrote to memory of 1416 1496 regsvr32.exe 27 PID 1496 wrote to memory of 1416 1496 regsvr32.exe 27 PID 1496 wrote to memory of 1416 1496 regsvr32.exe 27 PID 1496 wrote to memory of 1416 1496 regsvr32.exe 27 PID 1496 wrote to memory of 1416 1496 regsvr32.exe 27 PID 1496 wrote to memory of 1416 1496 regsvr32.exe 27 PID 1416 wrote to memory of 1276 1416 regsvr32.exe 28 PID 1416 wrote to memory of 1276 1416 regsvr32.exe 28 PID 1416 wrote to memory of 1276 1416 regsvr32.exe 28 PID 1416 wrote to memory of 1276 1416 regsvr32.exe 28 PID 1416 wrote to memory of 1276 1416 regsvr32.exe 28 PID 1416 wrote to memory of 1276 1416 regsvr32.exe 28
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\packed_qbot.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\packed_qbot.dll2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1276
-
-