Analysis
-
max time kernel
25s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
03-04-2023 14:29
Static task
static1
Behavioral task
behavioral1
Sample
Qbot_posting.dll
Resource
win7-20230220-en
General
-
Target
Qbot_posting.dll
-
Size
638KB
-
MD5
66c31e46e776c384f69c856505ab7852
-
SHA1
0502fa50d6117f1ed5d66a2d3c961eae5609f95b
-
SHA256
bc672fe23b19898032b312ab849d781cfd450966e17f571b8e31a0328f2bafe8
-
SHA512
6e916d69f0dc9f0284c4aacb7a2f75aeaa628aed3419cd16e8ac962ec98d9c7db7baceaacf3f635a496a1b13d29bcd7f3a1d7788e964b15c319282130857bebe
-
SSDEEP
12288:fa2sTwwDbozbuUijWQ2ieToMjavBJHuZXJMeGbX//IO:fBs1QuUijWHVUM+7OZXJM5T//I
Malware Config
Extracted
qakbot
403.973
BB02
1665761649
104.233.202.195:443
105.156.242.71:443
45.230.169.132:995
181.197.41.173:443
197.0.89.147:443
191.254.53.134:995
190.204.74.4:2222
46.185.147.165:443
190.26.159.133:995
177.205.74.14:2222
197.63.250.197:993
45.230.169.132:443
156.212.50.148:443
193.27.13.28:32100
190.200.10.82:2222
31.166.182.166:443
179.105.182.216:995
193.201.187.64:443
1.53.101.75:443
190.181.17.58:443
181.141.3.126:443
125.26.193.137:995
58.186.91.228:443
113.170.223.42:443
139.228.33.176:2222
167.58.235.5:443
41.98.236.210:443
220.123.29.76:443
163.182.177.80:443
186.139.116.78:443
58.186.75.42:443
93.156.96.171:443
187.198.8.241:443
189.243.187.76:443
197.94.79.39:443
102.189.242.128:995
105.154.60.233:995
156.146.55.173:2222
109.177.128.182:443
125.20.84.122:443
186.18.210.16:443
41.105.150.238:443
187.58.165.81:443
183.182.86.158:443
42.189.32.186:80
110.159.63.62:443
41.111.66.163:443
190.193.180.228:443
42.115.244.80:443
187.56.91.215:995
179.25.153.200:995
190.100.149.122:995
181.44.34.172:443
196.207.146.151:443
105.197.208.168:995
72.88.245.71:443
197.204.233.216:443
85.171.48.85:443
144.202.15.58:443
144.202.15.58:995
105.69.142.130:995
41.109.62.192:443
197.158.89.85:443
187.37.47.42:995
186.15.213.14:443
187.101.200.186:995
41.101.129.54:443
186.0.51.202:443
191.165.254.63:2222
181.30.225.9:443
41.141.239.223:995
102.187.59.86:995
41.230.147.223:443
181.128.21.133:443
102.158.17.105:443
105.108.80.229:443
41.107.209.163:443
196.235.137.166:443
148.213.109.165:995
186.86.212.138:443
118.216.99.232:443
41.99.208.154:443
23.225.104.250:443
186.18.77.99:443
186.188.96.197:443
41.96.120.232:443
105.108.189.56:443
79.100.58.254:443
180.65.194.65:443
196.65.255.151:995
156.174.26.63:443
85.110.133.32:443
41.101.200.226:443
45.227.251.167:2222
96.234.66.76:995
39.44.5.102:995
41.109.253.237:443
181.164.194.228:443
41.200.165.185:443
105.159.124.224:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 1072 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 1072 rundll32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2040 wrote to memory of 1072 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 1072 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 1072 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 1072 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 1072 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 1072 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 1072 2040 rundll32.exe rundll32.exe PID 1072 wrote to memory of 1188 1072 rundll32.exe wermgr.exe PID 1072 wrote to memory of 1188 1072 rundll32.exe wermgr.exe PID 1072 wrote to memory of 1188 1072 rundll32.exe wermgr.exe PID 1072 wrote to memory of 1188 1072 rundll32.exe wermgr.exe PID 1072 wrote to memory of 1188 1072 rundll32.exe wermgr.exe PID 1072 wrote to memory of 1188 1072 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Qbot_posting.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Qbot_posting.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1072-54-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/1072-55-0x00000000002A0000-0x00000000002C9000-memory.dmpFilesize
164KB
-
memory/1072-56-0x00000000002A0000-0x00000000002C9000-memory.dmpFilesize
164KB
-
memory/1072-58-0x00000000002A0000-0x00000000002C9000-memory.dmpFilesize
164KB
-
memory/1072-57-0x00000000002A0000-0x00000000002C9000-memory.dmpFilesize
164KB
-
memory/1072-59-0x0000000000240000-0x000000000026A000-memory.dmpFilesize
168KB
-
memory/1072-60-0x00000000002A0000-0x00000000002C9000-memory.dmpFilesize
164KB
-
memory/1072-61-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1072-63-0x00000000002A0000-0x00000000002C9000-memory.dmpFilesize
164KB
-
memory/1072-65-0x00000000002A0000-0x00000000002C9000-memory.dmpFilesize
164KB
-
memory/1188-64-0x00000000000B0000-0x00000000000B2000-memory.dmpFilesize
8KB
-
memory/1188-67-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB