Analysis
-
max time kernel
30s -
max time network
30s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2023, 15:28
Static task
static1
Behavioral task
behavioral1
Sample
x.bat
Resource
win7-20230220-en
General
-
Target
x.bat
-
Size
24B
-
MD5
1f4286706c7aaec25953446105db0b2f
-
SHA1
f05cce50773908160a48050774f5ffa9371ffa30
-
SHA256
ca9081c426cb9ef12be73a8a1c2d68c9e3eb9da9981b97b77ab7f4a3b3ab5382
-
SHA512
fe4e2ac84c7a38ea0712728775766778258a02efb2a1eb97ca8e406e4b3995f12727b56ae06a3d7ad139d011671145240379a6fe4e839f8955a3f28a2264fbd1
Malware Config
Extracted
qakbot
404.74
BB18
1678096419
27.99.34.220:2222
2.99.47.198:2222
93.147.235.8:443
92.154.45.81:2222
80.47.61.240:2222
103.252.7.231:443
198.2.51.242:993
27.0.48.233:443
176.142.207.63:443
50.68.204.71:993
86.250.10.160:2222
202.186.177.88:443
197.92.136.122:443
90.104.22.28:2222
69.119.123.159:2222
174.4.89.3:443
50.68.204.71:995
49.245.82.178:2222
85.241.180.94:443
12.172.173.82:32101
81.229.117.95:2222
184.153.132.82:443
83.7.52.249:443
160.176.143.232:443
125.99.69.178:443
2.82.8.80:443
74.92.243.113:50000
75.143.236.149:443
64.237.221.254:443
84.35.26.14:995
93.147.134.85:443
12.172.173.82:995
174.104.184.149:443
12.172.173.82:20
180.151.104.240:443
202.142.98.62:995
74.66.134.24:443
66.191.69.18:995
180.158.186.175:995
162.248.14.107:443
50.68.186.195:443
103.42.86.110:995
108.190.203.42:995
94.3.71.196:443
72.203.216.98:2222
50.68.204.71:443
31.53.29.205:2222
187.199.238.208:32103
173.18.126.3:443
73.161.176.218:443
176.205.188.253:2222
12.172.173.82:990
12.172.173.82:465
172.90.139.138:2222
72.80.7.6:50003
105.186.229.25:995
102.46.73.102:995
116.72.250.18:443
103.123.223.168:443
172.248.42.122:443
24.239.69.244:443
12.172.173.82:21
47.21.51.138:995
193.253.100.236:2222
87.223.81.32:443
103.140.174.19:2222
88.126.94.4:50000
92.27.86.48:2222
202.142.98.62:443
59.28.84.65:443
116.74.164.150:443
73.165.119.20:443
109.149.148.242:2222
69.133.162.35:443
77.86.98.236:443
93.24.192.142:20
78.92.133.215:443
14.192.241.76:995
151.65.177.218:443
103.111.70.115:443
78.130.215.67:443
202.187.239.34:995
75.158.15.211:443
217.165.230.100:2222
86.98.212.69:443
41.62.129.151:443
46.27.231.50:2078
37.186.55.152:2222
114.143.176.235:443
58.186.75.42:443
171.97.42.222:443
201.244.108.183:995
109.158.144.102:995
89.129.109.27:2222
86.202.48.142:2222
92.239.81.124:443
103.144.201.53:2078
122.184.143.82:443
86.99.51.33:2222
80.1.152.201:443
31.167.215.175:995
86.225.214.138:2222
12.172.173.82:50001
86.130.9.136:2222
47.21.51.138:443
213.67.255.57:2222
12.172.173.82:2087
91.165.188.74:50000
86.195.14.72:2222
82.212.119.175:443
85.139.118.210:443
79.67.165.149:995
136.232.184.134:995
76.170.252.153:995
98.145.23.67:443
35.143.97.145:995
184.176.35.223:2222
73.36.196.11:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 1260 rundll32.exe 1260 rundll32.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe 4088 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1260 rundll32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4644 wrote to memory of 2148 4644 cmd.exe 85 PID 4644 wrote to memory of 2148 4644 cmd.exe 85 PID 2148 wrote to memory of 1260 2148 rundll32.exe 86 PID 2148 wrote to memory of 1260 2148 rundll32.exe 86 PID 2148 wrote to memory of 1260 2148 rundll32.exe 86 PID 1260 wrote to memory of 4088 1260 rundll32.exe 87 PID 1260 wrote to memory of 4088 1260 rundll32.exe 87 PID 1260 wrote to memory of 4088 1260 rundll32.exe 87 PID 1260 wrote to memory of 4088 1260 rundll32.exe 87 PID 1260 wrote to memory of 4088 1260 rundll32.exe 87
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\x.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\system32\rundll32.exerundll32.exe x.dll,RS322⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe x.dll,RS323⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4088
-
-
-