Overview

overview

10

Static

static

10

430000.dll

windows7-x64

10

430000.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    29s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    06-04-2023 17:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    430000.dll

  • Size

    130KB

  • MD5

    f614498d0e00be7207714bf6de2cf6c1

  • SHA1

    afb2cde286628e62ed43db9149e0b93ac27d6866

  • SHA256

    1a9018c8a743f206879d99651535a624a9dc56e578666c3e868c5991603da0f7

  • SHA512

    1bedfdf52b578a3204cbc0ec2927632d46a2437ae26e1d870833d82730e61dd1327cc7476318d67ee6401fbaf47c43b7f88f159f0f6dbaf3adbcd3afae63070d

  • SSDEEP

    3072:Y1CGk7wnQpPYn+/lTS15AJJv6VVHU8TBff4Bzho:YYGkC6QnclaSJJCVVHU8TB349

Score
10/10
qakbotbb221680772777bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.909

Botnet

BB22

Campaign

1680772777

C2

83.77.208.166:2222

47.205.25.170:443

12.172.173.82:995

24.236.90.196:2078

75.109.111.89:443

45.50.233.214:443

86.209.8.236:2222

92.154.17.149:2222

59.153.96.4:443

91.82.133.190:443

197.92.131.255:443

103.42.86.42:995

12.172.173.82:21

73.36.196.11:443

77.126.11.114:443

103.140.174.20:2222

12.172.173.82:465

119.82.123.160:443

116.72.250.18:443

109.50.143.218:2222
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\430000.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\430000.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Windows\SysWOW64\ping.exe
          ping -n 3 yahoo.com
          4⤵
          • Runs ping.exe
          PID:884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1940-54-0x00000000000F0000-0x00000000000F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1940-55-0x00000000000C0000-0x00000000000E4000-memory.dmp
    Filesize

    144KB

    Download
  • memory/1940-56-0x00000000000C0000-0x00000000000E4000-memory.dmp
    Filesize

    144KB

    Download
  • memory/1940-57-0x00000000000C0000-0x00000000000E4000-memory.dmp
    Filesize

    144KB

    Download
  • memory/1940-58-0x00000000000C0000-0x00000000000E4000-memory.dmp
    Filesize

    144KB

    Download
  • memory/1940-59-0x00000000000C0000-0x00000000000E4000-memory.dmp
    Filesize

    144KB

    Download
  • memory/1940-60-0x00000000000C0000-0x00000000000E4000-memory.dmp
    Filesize

    144KB

    Download
  • memory/1940-61-0x00000000000C0000-0x00000000000E4000-memory.dmp
    Filesize

    144KB

    Download
  • memory/1940-63-0x00000000000C0000-0x00000000000E4000-memory.dmp
    Filesize

    144KB

    Download