Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

699da6dc48...b0.dll

windows7-x64

10

699da6dc48...b0.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    16/03/2023, 02:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    699da6dc48f908308fe9f096be1161b0.dll

  • Size

    318KB

  • MD5

    699da6dc48f908308fe9f096be1161b0

  • SHA1

    229337298834b2c5494547b67a2f9c95959c48d5

  • SHA256

    2e5e54ef65aa8b966d0ae4ba54f9141045612e3bc72790fb5fe5668747f6edf9

  • SHA512

    c69bf1afafc828828199402be78e10f78bd3288ebae3360dda35a713dc6ee6adda725defbe602ea8a734e5add3e688aed621b2689a49256e5ca177c1033dbd59

  • SSDEEP

    6144:NaaVzaA4R+aU/P/IvTDp3ZZ99GSrtMhsNW9TUW/aSFGMReiDhKRIbGjZneB6ncqJ:m+aU/P/IvTDp3ZZ99RrtyU2GSYIajfnP

Score
10/10
qakbotobama2431678889958bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.263

Botnet

obama243

Campaign

1678889958

C2

91.196.69.245:443

90.104.22.28:2222

37.14.229.220:2222

88.126.94.4:50000

92.159.173.52:2222

122.184.143.85:443

85.61.165.153:2222

86.195.14.72:2222

92.154.17.149:2222

47.203.229.168:443

98.187.21.2:443

70.51.152.61:2222

91.68.227.219:443

92.154.45.81:2222

88.122.133.88:32100

98.147.155.235:443

91.254.229.61:443

213.31.90.183:2222

174.118.36.28:443

197.14.148.149:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\699da6dc48f908308fe9f096be1161b0.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\699da6dc48f908308fe9f096be1161b0.dll,#1
      2⤵
        PID:1228
    • C:\Windows\system32\verclsid.exe
      "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
      1⤵
        PID:1348
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1484
        • C:\Windows\system32\rundll32.exe
          rundll32 699da6dc48f908308fe9f096be1161b0.dll,XS88
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1948
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 699da6dc48f908308fe9f096be1161b0.dll,XS88
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:2004
            • C:\Windows\SysWOW64\wermgr.exe
              C:\Windows\SysWOW64\wermgr.exe
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1516

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1516-61-0x00000000000B0000-0x00000000000B2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1516-63-0x0000000000080000-0x00000000000A3000-memory.dmp

        Filesize

        140KB

        Download

      • memory/1516-64-0x0000000000080000-0x00000000000A3000-memory.dmp

        Filesize

        140KB

        Download

      • memory/1516-65-0x0000000000080000-0x00000000000A3000-memory.dmp

        Filesize

        140KB

        Download

      • memory/1516-66-0x0000000000080000-0x00000000000A3000-memory.dmp

        Filesize

        140KB

        Download

      • memory/1516-67-0x0000000000080000-0x00000000000A3000-memory.dmp

        Filesize

        140KB

        Download

      • memory/1516-68-0x0000000000080000-0x00000000000A3000-memory.dmp

        Filesize

        140KB

        Download

      • memory/1516-70-0x0000000000080000-0x00000000000A3000-memory.dmp

        Filesize

        140KB

        Download

      • memory/2004-54-0x0000000010000000-0x0000000010023000-memory.dmp

        Filesize

        140KB

        Download

      • memory/2004-56-0x00000000000C0000-0x00000000000C3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2004-60-0x0000000010000000-0x0000000010023000-memory.dmp

        Filesize

        140KB

        Download

      • memory/2004-62-0x0000000010000000-0x0000000010023000-memory.dmp

        Filesize

        140KB

        Download