Overview

overview

10

Static

static

1

n4B82OsK.dll

windows7-x64

10

n4B82OsK.dll

windows10-2004-x64

3

Resubmissions

14-02-2023 14:22

230214-rpvyzaea55 10

14-02-2023 14:18

230214-rmqlgadd6s 3

Analysis

  • max time kernel
    600s
  • max time network
    601s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    14-02-2023 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    n4B82OsK.dll

  • Size

    434KB

  • MD5

    2349a28eb53ad73503e3396e1c8c723c

  • SHA1

    aed38e62e119b6fdc7aecb5ddb726f35ccd07468

  • SHA256

    b122fcf8be633245b36f8cc864bc115b0f9aaa06486e16dd620333c88cfbf1b3

  • SHA512

    670b9a15f907413b92d11193b74f829d2d6782e239d9ef2e1aadf8ccbc290fdeace9ae57e7d2997d44d6a309a093419c2dd1bfc071bc3c74f2316dbadb83422c

  • SSDEEP

    12288:rJZ701RXT1BaB4Irm8VGf9hyI8K9HGgnA:VZ701RXT1wB4Irz0f9hND

Score
10/10
qakbotazd1676370608bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.506

Botnet

azd

Campaign

1676370608

C2

85.59.61.52:2222

216.228.41.244:2222

174.58.146.57:443

103.42.86.110:995

147.219.4.194:443

89.32.157.195:995

76.80.180.154:995

79.67.165.149:995

71.31.101.183:443

198.2.51.242:993

88.111.182.118:2222

72.203.216.98:2222

72.80.7.6:995

12.172.173.82:32101

50.68.204.71:995

209.142.97.83:995

82.121.195.187:2222

81.229.117.95:2222

171.96.205.252:443

37.14.229.220:2222
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Program crash 2 IoCs
  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\n4B82OsK.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\n4B82OsK.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 224
        3⤵
        • Program crash
        PID:1988
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1120
    • \??\c:\Windows\System32\rundll32.exe
      rundll32.exe c:\Users\Admin\AppData\Local\Temp\n4B82OsK.dll,Wind
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe c:\Users\Admin\AppData\Local\Temp\n4B82OsK.dll,Wind
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1704
        • C:\Windows\SysWOW64\wermgr.exe
          C:\Windows\SysWOW64\wermgr.exe
          4⤵
            PID:1052
          • C:\Windows\SysWOW64\wermgr.exe
            C:\Windows\SysWOW64\wermgr.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1824
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 156
              5⤵
              • Program crash
              PID:956
          • C:\Windows\SysWOW64\msra.exe
            C:\Windows\SysWOW64\msra.exe
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1640
            • C:\Windows\SysWOW64\net.exe
              net view
              5⤵
              • Discovers systems in the same network
              PID:1540
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c set
              5⤵
                PID:1924
              • C:\Windows\SysWOW64\arp.exe
                arp -a
                5⤵
                  PID:1836
                • C:\Windows\SysWOW64\ipconfig.exe
                  ipconfig /all
                  5⤵
                  • Gathers network information
                  PID:1720
                • C:\Windows\SysWOW64\nslookup.exe
                  nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
                  5⤵
                    PID:1648
                  • C:\Windows\SysWOW64\net.exe
                    net share
                    5⤵
                      PID:1416
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 share
                        6⤵
                          PID:948
                      • C:\Windows\SysWOW64\route.exe
                        route print
                        5⤵
                          PID:1760
                        • C:\Windows\SysWOW64\netstat.exe
                          netstat -nao
                          5⤵
                          • Gathers network information
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1644
                        • C:\Windows\SysWOW64\net.exe
                          net localgroup
                          5⤵
                            PID:1832
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 localgroup
                              6⤵
                                PID:1680
                            • C:\Windows\SysWOW64\whoami.exe
                              whoami /all
                              5⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1704
                    • C:\Windows\system32\msiexec.exe
                      C:\Windows\system32\msiexec.exe /V
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1992

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Command-Line Interface

                    1
                    T1059

                    Persistence

                    Privilege Escalation

                    Defense Evasion

                    Credential Access

                    Discovery

                    Remote System Discovery

                    1
                    T1018

                    System Information Discovery

                    1
                    T1082

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • \??\PIPE\wkssvc
                      MD5

                      d41d8cd98f00b204e9800998ecf8427e

                      SHA1

                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                      SHA256

                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                      SHA512

                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                      Download Submit
                    • memory/904-57-0x0000000000000000-mapping.dmp
                      Download
                    • memory/948-81-0x0000000000000000-mapping.dmp
                      Download
                    • memory/956-69-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1416-55-0x00000000767B1000-0x00000000767B3000-memory.dmp
                      Filesize

                      8KB

                      Download
                    • memory/1416-80-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1416-54-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1540-74-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1640-73-0x0000000000080000-0x00000000000A3000-memory.dmp
                      Filesize

                      140KB

                      Download
                    • memory/1640-70-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1640-72-0x0000000000080000-0x00000000000A3000-memory.dmp
                      Filesize

                      140KB

                      Download
                    • memory/1644-83-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1648-79-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1680-85-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1704-58-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1704-87-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1704-65-0x00000000001A0000-0x00000000001A3000-memory.dmp
                      Filesize

                      12KB

                      Download
                    • memory/1704-66-0x00000000001A0000-0x00000000001A3000-memory.dmp
                      Filesize

                      12KB

                      Download
                    • memory/1704-60-0x0000000010000000-0x0000000010023000-memory.dmp
                      Filesize

                      140KB

                      Download
                    • memory/1720-77-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1760-82-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1824-67-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1832-84-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1836-76-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1924-75-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1988-56-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1992-88-0x000007FEFC451000-0x000007FEFC453000-memory.dmp
                      Filesize

                      8KB

                      Download