Analysis

  • max time kernel
    130s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/02/2023, 11:20

General

  • Target

    StrangulatorySubduedness.dll

  • Size

    348KB

  • MD5

    842ff3818aab3bc168f997aa43163434

  • SHA1

    ba69ce91bcc57883ed2989749a9c05c2ef8bd899

  • SHA256

    628b7be2f1bb39f173458d0595ddfed907157ef25a574d34faaa4bfd80129071

  • SHA512

    57c7ce4fd461e0b6d8599f68cd9dedf382f5cec1c70cb599a90964fa1a8d2c07e6397587bb69b65662de2bc45e582acbe723e0909282fb2a7bf4ec5243434282

  • SSDEEP

    6144:znCkEzy3WOKrHe7EPvIbQP952w7QNlC20wHa8zbC6+fYyf9unVes12qxWCla8aGN:NEyrw2s20wHao+mmeWCl9Vdsd

Malware Config

Extracted

Family

qakbot

Version

404.66

Botnet

BB17

Campaign

1677576236

C2

73.165.119.20:443

80.13.205.69:2222

202.142.98.62:995

14.192.241.76:995

90.104.22.28:2222

74.92.243.113:50000

184.155.91.69:443

12.172.173.82:990

47.34.30.133:443

73.161.176.218:443

27.0.48.233:443

188.49.116.2:995

24.239.69.244:443

12.172.173.82:21

92.239.81.124:443

84.35.26.14:995

91.165.188.74:50000

12.172.173.82:465

172.248.42.122:443

103.140.174.19:2222

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\StrangulatorySubduedness.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\StrangulatorySubduedness.dll,#1
      2⤵
        PID:1344
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 600
          3⤵
          • Program crash
          PID:1008
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1344 -ip 1344
      1⤵
        PID:1892
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4964
        • C:\Windows\system32\rundll32.exe
          rundll32 StrangulatorySubduedness.dll,N115
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2616
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 StrangulatorySubduedness.dll,N115
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1640
            • C:\Windows\SysWOW64\wermgr.exe
              C:\Windows\SysWOW64\wermgr.exe
              4⤵
                PID:2352
          • C:\Windows\system32\rundll32.exe
            rundll32 StrangulatorySubduedness.dll,N115
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3600
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32 StrangulatorySubduedness.dll,N115
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:3440
              • C:\Windows\SysWOW64\wermgr.exe
                C:\Windows\SysWOW64\wermgr.exe
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:788

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\StrangulatorySubduedness.dll

          Filesize

          4KB

          MD5

          b356f2f09b3cc78822ec9e4458338087

          SHA1

          a27152f549445c8bdac3133d97cfe332c3f0516d

          SHA256

          184063cf0a1c430e8c789d5d181061353bbfab16b8c2dc0eed40f486611b0372

          SHA512

          1b5677da6ee0f72dffcdb92e32d6acadf40d3a3f1179fc8921f75c19861489d3b55c3e66aae7d05cddaf8c688fdcbef1fc6d39ff6faa96795c2da9a1047ffa96

        • memory/788-155-0x0000000000140000-0x0000000000163000-memory.dmp

          Filesize

          140KB

        • memory/788-157-0x0000000000140000-0x0000000000163000-memory.dmp

          Filesize

          140KB

        • memory/788-161-0x0000000000140000-0x0000000000163000-memory.dmp

          Filesize

          140KB

        • memory/788-159-0x0000000000140000-0x0000000000163000-memory.dmp

          Filesize

          140KB

        • memory/788-158-0x0000000000140000-0x0000000000163000-memory.dmp

          Filesize

          140KB

        • memory/788-156-0x0000000000140000-0x0000000000163000-memory.dmp

          Filesize

          140KB

        • memory/788-150-0x0000000000140000-0x0000000000163000-memory.dmp

          Filesize

          140KB

        • memory/1640-133-0x00000000026E0000-0x0000000002703000-memory.dmp

          Filesize

          140KB

        • memory/1640-141-0x00000000026D0000-0x00000000026D3000-memory.dmp

          Filesize

          12KB

        • memory/1640-147-0x00000000026E0000-0x0000000002703000-memory.dmp

          Filesize

          140KB

        • memory/1640-144-0x00000000026E0000-0x0000000002703000-memory.dmp

          Filesize

          140KB

        • memory/2352-153-0x0000000000C40000-0x0000000000C63000-memory.dmp

          Filesize

          140KB

        • memory/2352-154-0x0000000000C40000-0x0000000000C63000-memory.dmp

          Filesize

          140KB

        • memory/3440-148-0x0000000001340000-0x0000000001343000-memory.dmp

          Filesize

          12KB

        • memory/3440-134-0x0000000002C20000-0x0000000002C43000-memory.dmp

          Filesize

          140KB

        • memory/3440-146-0x0000000002C20000-0x0000000002C43000-memory.dmp

          Filesize

          140KB

        • memory/3440-145-0x0000000002C20000-0x0000000002C43000-memory.dmp

          Filesize

          140KB