Analysis Overview
SHA256
6df43898447efa4d277156e664e5de1aaa016d0ceb4ec939ab5a5ca36e248c27
Threat Level: Known bad
The file Malware.zip was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-02-27 23:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-27 23:56
Reported
2023-02-28 00:06
Platform
win10-20230220-en
Max time kernel
600s
Max time network
599s
Command Line
Signatures
Qakbot/Qbot
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"
C:\Windows\system32\rundll32.exe
rundll32.exe prelatesRequalify.dll,N115
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe prelatesRequalify.dll,N115
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 52.168.112.66:443 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | irs.gov | udp |
| US | 152.216.7.110:443 | irs.gov | tcp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.irs.gov | udp |
| US | 104.104.99.143:443 | www.irs.gov | tcp |
| US | 8.8.8.8:53 | 29.220.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.7.216.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.99.104.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.92.206.23.in-addr.arpa | udp |
| TN | 102.156.252.46:443 | tcp | |
| TN | 102.156.252.46:443 | tcp | |
| TN | 102.156.252.46:443 | tcp | |
| TN | 102.156.252.46:443 | tcp | |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| GB | 86.130.9.136:2222 | tcp | |
| GB | 86.130.9.136:2222 | tcp | |
| GB | 86.130.9.136:2222 | tcp | |
| GB | 86.130.9.136:2222 | tcp | |
| GB | 86.178.18.239:443 | tcp | |
| GB | 86.178.18.239:443 | tcp | |
| GB | 86.178.18.239:443 | tcp | |
| GB | 86.178.18.239:443 | tcp | |
| GB | 90.211.192.113:443 | tcp | |
| GB | 90.211.192.113:443 | tcp | |
| GB | 90.211.192.113:443 | tcp | |
| GB | 90.211.192.113:443 | tcp |
Files
memory/3780-118-0x0000000000750000-0x0000000000773000-memory.dmp
memory/3780-123-0x0000000000750000-0x0000000000773000-memory.dmp
memory/3780-124-0x00000000001E0000-0x00000000001E3000-memory.dmp
memory/3780-125-0x0000000000750000-0x0000000000773000-memory.dmp
memory/3780-126-0x00000000001E0000-0x00000000001E3000-memory.dmp
memory/3480-128-0x0000000000850000-0x0000000000873000-memory.dmp
memory/3480-131-0x0000000000850000-0x0000000000873000-memory.dmp
memory/3480-132-0x0000000000850000-0x0000000000873000-memory.dmp
memory/3480-133-0x0000000000850000-0x0000000000873000-memory.dmp
memory/3480-134-0x0000000000850000-0x0000000000873000-memory.dmp
memory/3480-136-0x0000000000850000-0x0000000000873000-memory.dmp
memory/3480-138-0x0000000000850000-0x0000000000873000-memory.dmp
memory/3480-139-0x0000000000850000-0x0000000000873000-memory.dmp
memory/3480-141-0x0000000000850000-0x0000000000873000-memory.dmp
memory/3480-151-0x0000000000850000-0x0000000000873000-memory.dmp
memory/3480-152-0x0000000000850000-0x0000000000873000-memory.dmp
memory/3480-154-0x0000000000850000-0x0000000000873000-memory.dmp
memory/3480-155-0x0000000000850000-0x0000000000873000-memory.dmp
memory/3480-156-0x0000000000850000-0x0000000000873000-memory.dmp
memory/3480-157-0x0000000000850000-0x0000000000873000-memory.dmp
memory/3480-158-0x0000000000850000-0x0000000000873000-memory.dmp
memory/3480-160-0x0000000000850000-0x0000000000873000-memory.dmp
memory/3480-161-0x0000000000850000-0x0000000000873000-memory.dmp
memory/3480-162-0x0000000000850000-0x0000000000873000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-27 23:56
Reported
2023-02-28 00:06
Platform
win7-20230220-en
Max time kernel
599s
Max time network
600s
Command Line
Signatures
Qakbot/Qbot
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"
C:\Windows\system32\rundll32.exe
rundll32.exe prelatesRequalify.dll,N115
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe prelatesRequalify.dll,N115
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cisco.com | udp |
| US | 72.163.4.185:443 | cisco.com | tcp |
| US | 8.8.8.8:53 | www.cisco.com | udp |
| NL | 23.222.34.209:443 | www.cisco.com | tcp |
| US | 72.163.4.185:443 | cisco.com | tcp |
| NL | 23.222.34.209:443 | www.cisco.com | tcp |
| US | 72.163.4.185:443 | cisco.com | tcp |
| NL | 23.222.34.209:443 | www.cisco.com | tcp |
| US | 72.163.4.185:443 | cisco.com | tcp |
| NL | 23.222.34.209:443 | www.cisco.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:443 | google.com | tcp |
| PK | 39.40.207.24:995 | tcp | |
| PK | 39.40.207.24:995 | tcp | |
| PK | 39.40.207.24:995 | tcp | |
| PK | 39.40.207.24:995 | tcp | |
| GB | 86.190.223.11:2222 | tcp | |
| GB | 86.190.223.11:2222 | tcp | |
| GB | 86.190.223.11:2222 | tcp | |
| GB | 86.190.223.11:2222 | tcp | |
| ES | 87.223.83.119:443 | tcp | |
| ES | 87.223.83.119:443 | tcp | |
| ES | 87.223.83.119:443 | tcp | |
| ES | 87.223.83.119:443 | tcp | |
| IN | 116.75.188.138:443 | tcp | |
| IN | 116.75.188.138:443 | tcp | |
| IN | 116.75.188.138:443 | tcp | |
| IN | 116.75.188.138:443 | tcp | |
| IN | 114.143.176.235:443 | tcp |
Files
memory/1440-54-0x00000000007A0000-0x00000000007C3000-memory.dmp
memory/1440-59-0x00000000007A0000-0x00000000007C3000-memory.dmp
memory/2000-60-0x00000000000F0000-0x00000000000F2000-memory.dmp
memory/1440-61-0x00000000007A0000-0x00000000007C3000-memory.dmp
memory/2000-62-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/2000-65-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/2000-66-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/2000-67-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/2000-68-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/2000-70-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/2000-73-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/2000-74-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/2000-76-0x00000000000C0000-0x00000000000E3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab60F8.tmp
| MD5 | fc4666cbca561e864e7fdf883a9e6661 |
| SHA1 | 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5 |
| SHA256 | 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b |
| SHA512 | c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d |
C:\Users\Admin\AppData\Local\Temp\Tar6168.tmp
| MD5 | 73b4b714b42fc9a6aaefd0ae59adb009 |
| SHA1 | efdaffd5b0ad21913d22001d91bf6c19ecb4ac41 |
| SHA256 | c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd |
| SHA512 | 73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd |
memory/2000-531-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/2000-532-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/2000-534-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/2000-535-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/2000-536-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/2000-537-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/2000-538-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/2000-540-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/2000-541-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/2000-542-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/2000-545-0x00000000000C0000-0x00000000000E3000-memory.dmp