Overview

overview

10

Static

static

1

parallax-s...om.dll

windows7-x64

10

parallax-s...om.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    10-03-2023 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    parallax-systems.com.dll

  • Size

    524KB

  • MD5

    c3c2565c1401b5a436291df479ae7d28

  • SHA1

    59fde9dcf2b51d6f4e07068f31f54ec5248bf4b6

  • SHA256

    e97d0fef27fe3e831bd23cf2ac654f06bf9ec2f2d3a59593431d62e3d15b878d

  • SHA512

    a322cded7846a9d5b6b848287dab128607c17e4ed43983b68f396839eb39e4d6379d4bf8d5278bc09fd88e183f3de0e7dfe37d9a5879291e9fef37d64d33ad14

  • SSDEEP

    6144:9kIzvcd6bpkttJtlXWPFuXwkj2Zlx2Un8sLjA:mgcbttDlXWPkwkj4xLtLjA

Score
10/10
qakbotbb181678346017bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.226

Botnet

BB18

Campaign

1678346017

C2

114.143.176.235:443

92.154.17.149:2222

2.14.45.117:2222

84.108.200.161:443

109.11.175.42:2222

88.126.94.4:50000

87.202.101.164:50000

50.68.204.71:995

49.245.82.178:2222

12.172.173.82:32101

190.11.198.76:443

79.67.165.149:995

115.87.227.49:443

84.215.202.22:443

118.250.110.98:995

66.131.25.6:443

80.1.152.201:443

198.2.51.242:993

151.48.158.236:443

50.68.204.71:993
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\parallax-systems.com.dll XL55
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\parallax-systems.com.dll XL55
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1832-60-0x00000000000C0000-0x00000000000C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1832-61-0x0000000000080000-0x00000000000A3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1832-64-0x0000000000080000-0x00000000000A3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1832-65-0x0000000000080000-0x00000000000A3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1832-66-0x0000000000080000-0x00000000000A3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1832-67-0x0000000000080000-0x00000000000A3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1832-68-0x0000000000080000-0x00000000000A3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1832-70-0x0000000000080000-0x00000000000A3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1980-54-0x0000000000250000-0x0000000000273000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1980-59-0x0000000000250000-0x0000000000273000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1980-62-0x0000000000250000-0x0000000000273000-memory.dmp

    Filesize

    140KB

    Download