Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
07/02/2023, 19:31
Static task
static1
Behavioral task
behavioral1
Sample
REJ_1766.iso
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
REJ.lnk
Resource
win10-20220901-en
Behavioral task
behavioral3
Sample
oslo/nicks.txt
Resource
win10-20220812-en
Behavioral task
behavioral4
Sample
oslo/they.cmd
Resource
win10-20220812-en
Behavioral task
behavioral5
Sample
oslo/train.png
Resource
win10-20220901-en
General
-
Target
oslo/trudge.dll
-
Size
1.6MB
-
MD5
a4af6ab7189ea34967c0fe94d87306f0
-
SHA1
d3598e025f311c716efb5be6b60a85704eaccd19
-
SHA256
476760304bb6b6192579b108ab2c885f53628818e26b90977404d628f5871722
-
SHA512
9abb8e4296e0b3bb664066b5f016d709badb29407e065290915e986cc2adf87d04e6ba9636d6a4f28acbca8f057661b0839aa5de8bc95181cdac6290ad21650d
-
SSDEEP
24576:12gUXd2F9pZ6gGxxuFZ9HpuKt5VIWZypPsHycDizFitRCFvgx1WZXJM5T//82:12gOYNWuFZ9JAEHNWFOWvgD+5M
Malware Config
Extracted
qakbot
403.973
obama213
1665998932
70.173.248.13:443
219.71.108.177:443
206.1.189.186:443
14.246.151.175:443
102.159.77.134:995
200.233.108.153:993
134.35.3.85:443
190.199.186.117:2222
200.155.61.245:995
103.156.237.71:443
176.44.119.153:443
181.56.171.3:995
151.251.50.117:443
163.182.177.80:443
104.202.220.123:443
41.101.92.195:443
190.193.180.228:443
190.204.112.207:2222
41.97.56.102:443
41.69.209.76:443
94.36.5.31:443
190.78.89.157:993
206.1.216.19:2087
85.242.200.96:443
41.251.219.50:443
105.111.141.73:443
41.103.64.82:443
154.246.158.189:443
190.39.218.17:443
84.220.13.28:443
190.100.149.122:995
197.1.19.60:443
196.64.70.216:443
41.107.10.21:443
197.205.161.20:443
102.47.218.41:443
196.89.213.40:995
181.168.145.94:443
187.101.200.186:995
41.105.245.174:443
179.25.144.177:995
78.179.135.247:443
94.52.127.44:443
186.18.210.16:443
207.204.120.40:443
102.158.215.180:443
190.74.4.20:443
188.49.164.208:443
190.26.159.133:995
78.183.238.79:443
197.1.50.150:443
42.189.32.186:80
167.58.235.5:443
14.54.83.15:443
187.198.8.241:443
71.239.12.136:443
112.70.141.221:443
37.245.136.135:2222
88.232.10.69:443
41.98.250.65:443
82.205.9.34:443
196.64.239.75:443
37.8.68.1:443
197.1.248.244:443
197.2.139.7:443
79.45.134.162:22
182.183.211.163:995
72.88.245.71:443
154.246.14.94:443
41.248.155.126:995
200.233.108.153:995
144.86.17.168:443
182.185.29.69:995
160.177.47.116:6881
181.197.41.173:443
160.248.194.147:443
85.109.221.97:443
101.109.135.60:995
1.20.185.138:443
91.171.72.214:32100
197.10.195.7:443
45.160.33.163:443
202.170.206.61:995
96.9.66.118:995
132.251.244.227:443
113.188.13.246:443
78.181.39.116:443
1.53.101.75:443
197.202.173.111:443
31.201.40.194:443
105.105.224.133:443
79.155.159.177:443
181.188.164.123:443
156.221.50.226:995
41.251.15.7:990
177.205.74.14:2222
45.240.140.233:995
102.188.91.158:995
189.243.187.76:443
179.105.182.216:995
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 1888 4492 WerFault.exe 66 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4492 rundll32.exe 4492 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4720 wrote to memory of 4492 4720 rundll32.exe 66 PID 4720 wrote to memory of 4492 4720 rundll32.exe 66 PID 4720 wrote to memory of 4492 4720 rundll32.exe 66
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\oslo\trudge.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\oslo\trudge.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
PID:4492 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 7123⤵
- Program crash
PID:1888
-
-