Analysis

  • max time kernel
    152s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    07-05-2023 03:44

General

  • Target

    7bead29093a5ff9e111cf272fc1949f4d2e1bd1e1f7dbbb0e4b9806c2403a8ad.dll

  • Size

    492KB

  • MD5

    d3f6c5e76c975e03f4f558c1ad5512f9

  • SHA1

    7dc1f53ac14d666fba565bb5f03dba85d99ac70d

  • SHA256

    7bead29093a5ff9e111cf272fc1949f4d2e1bd1e1f7dbbb0e4b9806c2403a8ad

  • SHA512

    45b63b264f1bb7c500e4736ea9bbbad1f3506145fe680224eaf4ed65083c04d92040c8259b243b2d3135e76c5dee26044447c353bbb33e122dc97b43cf61361a

  • SSDEEP

    6144:GzsetYMi0K8xwAXr/fUT7td4HCp6hInogO5cJN2W3MnBJW2WraDOhTKnOF8QAZaR:Fea0fiP3O2sK2WraDOhel0WVvKX5H5N

Malware Config

Extracted

Family

qakbot

Version

404.1026

Botnet

BB25

Campaign

1682409935

C2

96.56.197.26:2222

151.30.34.144:443

217.165.239.223:443

91.82.4.46:443

151.213.66.34:995

81.111.108.123:443

88.171.156.150:50000

92.149.250.113:2222

92.189.214.236:2222

103.123.223.130:443

67.10.2.240:995

70.112.206.5:443

86.225.214.138:2222

172.248.42.122:443

147.219.4.194:443

24.139.11.137:443

74.92.243.115:50000

198.2.51.242:993

75.98.154.19:443

92.239.81.124:443

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7bead29093a5ff9e111cf272fc1949f4d2e1bd1e1f7dbbb0e4b9806c2403a8ad.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:324
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\7bead29093a5ff9e111cf272fc1949f4d2e1bd1e1f7dbbb0e4b9806c2403a8ad.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:932
        • C:\Windows\SysWOW64\ping.exe
          ping -n 3 yahoo.com
          4⤵
          • Runs ping.exe
          PID:1708

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/932-63-0x0000000000110000-0x0000000000134000-memory.dmp

    Filesize

    144KB

  • memory/932-60-0x0000000000110000-0x0000000000134000-memory.dmp

    Filesize

    144KB

  • memory/932-68-0x0000000000110000-0x0000000000134000-memory.dmp

    Filesize

    144KB

  • memory/932-66-0x0000000000110000-0x0000000000134000-memory.dmp

    Filesize

    144KB

  • memory/932-58-0x0000000000140000-0x0000000000142000-memory.dmp

    Filesize

    8KB

  • memory/932-59-0x0000000000110000-0x0000000000134000-memory.dmp

    Filesize

    144KB

  • memory/932-65-0x0000000000110000-0x0000000000134000-memory.dmp

    Filesize

    144KB

  • memory/932-61-0x0000000000110000-0x0000000000134000-memory.dmp

    Filesize

    144KB

  • memory/932-64-0x0000000000110000-0x0000000000134000-memory.dmp

    Filesize

    144KB

  • memory/1984-55-0x00000000001C0000-0x00000000001E4000-memory.dmp

    Filesize

    144KB

  • memory/1984-62-0x00000000001C0000-0x00000000001E4000-memory.dmp

    Filesize

    144KB

  • memory/1984-54-0x00000000001C0000-0x00000000001E4000-memory.dmp

    Filesize

    144KB

  • memory/1984-57-0x00000000001C0000-0x00000000001E4000-memory.dmp

    Filesize

    144KB

  • memory/1984-56-0x0000000000280000-0x00000000002C1000-memory.dmp

    Filesize

    260KB