Overview

overview

10

Static

static

1

publish/eardrum.dll

windows7-x64

10

publish/eardrum.dll

windows10-2004-x64

10

publish/ov...ts.vbs

windows7-x64

3

publish/ov...ts.vbs

windows10-2004-x64

1

Analysis

  • max time kernel
    107s
  • max time network
    81s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-02-2023 12:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    publish/eardrum.dll

  • Size

    472KB

  • MD5

    f24a452723c7e5d1f85eab7f5ec7ecd9

  • SHA1

    2596f834041095c888b45e61ca48df3d4ce3a99d

  • SHA256

    1abc2fb23f55378947bf528996b50ffed195a059d5f7b537271792704eb5cd4c

  • SHA512

    a366c9f17df14ac093ea41ec248476a02b70051efacfe4fd654ef5461200bff18dc653d852eb4e2ee8eb722bd3917055bcf85c923dd46e8c262107f71045d56f

  • SSDEEP

    6144:icJ88bsBZpZKeiJb1pPMkKvHrdTcf7CsHW8kYTRapUQsJT8Td++seeAOA0Y:VJDoBZjFibAOTCs28k2gN/rea0Y

Score
10/10
qakbotbb1664801691bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.902

Botnet

BB

Campaign

1664801691

C2

160.179.220.87:995

186.86.212.138:443

180.180.213.94:995

186.125.93.28:443

31.167.72.198:443

78.162.213.155:443

46.10.105.160:443

41.105.54.8:443

41.108.175.56:443

188.156.85.37:443

94.52.127.44:443

79.168.151.143:443

189.79.27.174:995

179.178.249.16:443

23.225.104.250:443

134.35.11.71:443

197.204.126.136:443

197.205.168.243:443

58.186.75.42:443

41.96.18.5:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\publish\eardrum.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\publish\eardrum.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1640-132-0x0000000000000000-mapping.dmp
    Download
  • memory/1640-133-0x0000000002750000-0x0000000002792000-memory.dmp
    Filesize

    264KB

    Download
  • memory/1640-134-0x00000000027A0000-0x00000000027C2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1640-137-0x00000000027A0000-0x00000000027C2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3388-135-0x0000000000000000-mapping.dmp
    Download
  • memory/3388-136-0x0000000000C30000-0x0000000000C52000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3388-138-0x0000000000C30000-0x0000000000C52000-memory.dmp
    Filesize

    136KB

    Download