Analysis
-
max time kernel
152s -
max time network
93s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
07-05-2023 05:48
Static task
static1
Behavioral task
behavioral1
Sample
agfINAaJSdj4m122.dll
Resource
win7-20230220-en
General
-
Target
agfINAaJSdj4m122.dll
-
Size
492KB
-
MD5
606ba4a551264e258b61c149ba644d04
-
SHA1
8a228108126425e89a8d79e28072950169d8e59c
-
SHA256
712c4c65b0aaaf3e0edd9813462e0b5c3b55b7872f52610ca99b5e2afafe2fa0
-
SHA512
6fb6ab919b5895d71c9355a9a7dceeed35b9e1e537480c50b2e700d3ec68577f8660b46c3583d6e940c85d024a124abf9473e8654aea6c484fff675b251bdfba
-
SSDEEP
6144:GzsetY7i0K8xwAXr/fUT7td4HCp6hInogO5cJN2W3MnBJW2WraDOhTKnOF8QAZaR:FeaffiP3O2sK2WraDOhel0WVvKX5H5N
Malware Config
Extracted
qakbot
404.1026
BB25
1682409935
96.56.197.26:2222
151.30.34.144:443
217.165.239.223:443
91.82.4.46:443
151.213.66.34:995
81.111.108.123:443
88.171.156.150:50000
92.149.250.113:2222
92.189.214.236:2222
103.123.223.130:443
67.10.2.240:995
70.112.206.5:443
86.225.214.138:2222
172.248.42.122:443
147.219.4.194:443
24.139.11.137:443
74.92.243.115:50000
198.2.51.242:993
75.98.154.19:443
92.239.81.124:443
92.27.86.48:2222
47.205.25.170:443
76.16.49.134:443
174.118.63.123:443
119.82.121.87:443
70.28.50.223:32100
74.58.71.237:443
14.192.241.76:995
12.172.173.82:2087
76.86.31.59:443
12.172.173.82:995
161.142.98.36:995
91.165.188.74:50000
70.28.50.223:3389
50.68.186.195:443
72.203.216.98:2222
94.207.107.69:443
75.143.236.149:443
31.53.29.207:2222
58.186.75.42:443
75.109.111.89:443
68.173.170.110:8443
105.184.103.214:995
47.21.51.138:443
12.172.173.82:50001
59.28.84.65:443
114.143.176.235:443
73.161.176.218:443
197.94.78.32:443
122.186.210.254:443
50.68.204.71:995
147.147.30.126:2222
27.99.32.26:2222
78.130.215.67:443
2.36.64.159:2078
98.145.23.67:443
85.84.222.49:443
181.4.225.225:443
184.176.35.223:2222
58.162.223.233:443
67.61.61.31:443
96.87.28.170:2222
12.172.173.82:21
91.169.12.198:32100
50.68.204.71:443
70.26.75.148:2222
49.245.95.124:2222
176.142.207.63:443
12.172.173.82:993
79.77.142.22:2222
202.186.177.220:443
92.186.69.229:2222
50.68.204.71:993
70.28.50.223:2078
70.28.50.223:2087
78.192.109.105:2222
123.3.240.16:995
86.45.66.141:2222
64.121.161.102:443
184.182.66.109:443
103.140.174.20:2222
69.242.31.249:443
181.118.183.109:443
49.175.72.99:443
84.215.202.8:443
86.130.9.135:2222
92.9.45.20:2222
200.90.68.166:2222
94.200.183.66:2222
183.87.163.165:443
125.99.76.102:443
109.149.148.20:2222
187.199.153.185:32103
95.60.243.19:995
35.143.97.145:995
124.149.143.189:2222
70.28.50.223:2083
2.82.8.80:443
213.91.235.146:443
104.35.24.154:443
12.172.173.82:32101
174.4.89.3:443
47.34.30.133:443
71.38.155.217:443
109.153.252.176:2222
173.18.122.24:443
70.28.50.223:1194
72.205.104.134:443
86.171.131.244:995
102.159.219.132:443
76.170.252.153:995
72.134.124.16:443
81.229.117.95:2222
201.244.108.183:995
47.199.241.39:443
91.35.212.133:995
12.172.173.82:22
12.172.173.82:20
184.153.132.82:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exewermgr.exepid Process 1732 rundll32.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe 1192 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid Process 1732 rundll32.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
rundll32.exerundll32.exewermgr.exedescription pid Process procid_target PID 2028 wrote to memory of 1732 2028 rundll32.exe 27 PID 2028 wrote to memory of 1732 2028 rundll32.exe 27 PID 2028 wrote to memory of 1732 2028 rundll32.exe 27 PID 2028 wrote to memory of 1732 2028 rundll32.exe 27 PID 2028 wrote to memory of 1732 2028 rundll32.exe 27 PID 2028 wrote to memory of 1732 2028 rundll32.exe 27 PID 2028 wrote to memory of 1732 2028 rundll32.exe 27 PID 1732 wrote to memory of 1192 1732 rundll32.exe 28 PID 1732 wrote to memory of 1192 1732 rundll32.exe 28 PID 1732 wrote to memory of 1192 1732 rundll32.exe 28 PID 1732 wrote to memory of 1192 1732 rundll32.exe 28 PID 1732 wrote to memory of 1192 1732 rundll32.exe 28 PID 1732 wrote to memory of 1192 1732 rundll32.exe 28 PID 1192 wrote to memory of 1872 1192 wermgr.exe 29 PID 1192 wrote to memory of 1872 1192 wermgr.exe 29 PID 1192 wrote to memory of 1872 1192 wermgr.exe 29 PID 1192 wrote to memory of 1872 1192 wermgr.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\agfINAaJSdj4m122.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\agfINAaJSdj4m122.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\ping.exeping -n 3 yahoo.com4⤵
- Runs ping.exe
PID:1872
-
-
-