Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2023 13:40
Static task
static1
Behavioral task
behavioral1
Sample
faba2931f2ed32d7604283aa0be76c9699e4866a438ff092c3134f9f87571409.dll
Resource
win7-20230220-en
General
-
Target
faba2931f2ed32d7604283aa0be76c9699e4866a438ff092c3134f9f87571409.dll
-
Size
321KB
-
MD5
66ed2f481c9e3c016ee6f7dc18dc975e
-
SHA1
9572fcce22c16e75fad8ef7b423667545bd4ab26
-
SHA256
faba2931f2ed32d7604283aa0be76c9699e4866a438ff092c3134f9f87571409
-
SHA512
6033a594954ec3e26b830890c9cfed552a58416e5ba541ee19ac5411908a7a8a58ec1b39eb1ef4c572746285754245c88493d029f7327dcf3e656ee569917f0f
-
SSDEEP
6144:IynKe1U6ybW6cShRZuWYteU/0luNwOGJptI+hLb4LGSKoJ/5ivV:ICjOi6DuRltOEGLELGSXzM
Malware Config
Extracted
qakbot
404.1035
BB26
1683023161
171.96.204.242:443
114.143.176.235:443
201.244.108.183:995
92.188.241.102:443
86.250.12.86:2222
12.172.173.82:22
94.204.122.51:443
47.21.51.138:443
70.28.50.223:2083
86.130.9.128:2222
151.213.66.34:995
2.36.64.159:2078
12.172.173.82:465
69.133.162.35:443
41.186.88.38:443
86.140.160.231:2222
93.150.183.229:2222
62.35.230.21:995
184.176.35.223:2222
75.143.236.149:443
14.192.241.76:995
69.123.4.221:2222
74.92.243.115:50000
198.2.51.242:993
75.98.154.19:443
94.200.183.66:2222
24.69.137.232:2222
64.40.4.89:995
47.205.25.170:443
197.94.78.32:443
79.77.142.22:2222
70.28.50.223:2078
76.86.31.59:443
174.4.89.3:443
102.156.133.23:443
50.68.186.195:443
125.99.76.102:443
12.172.173.82:995
75.109.111.89:443
92.20.204.198:2222
147.147.30.126:2222
23.30.173.133:443
68.173.170.110:8443
70.24.104.146:2222
27.99.32.26:2222
76.16.49.134:443
78.16.206.86:443
147.219.4.194:443
82.36.36.76:443
89.79.229.50:443
70.64.77.115:443
86.171.131.244:995
103.140.174.20:2222
12.172.173.82:21
88.126.94.4:50000
105.184.209.10:995
24.236.90.197:2078
92.20.199.185:2222
2.82.8.80:443
31.53.29.198:2222
173.88.135.179:443
12.172.173.82:32101
91.169.12.198:32100
98.145.23.67:443
70.26.75.148:2222
103.42.86.42:995
12.172.173.82:993
104.35.24.154:443
161.142.98.36:995
119.82.121.87:443
50.68.204.71:443
103.123.223.171:443
103.141.50.79:995
71.38.155.217:443
27.109.19.90:2078
70.28.50.223:1194
89.129.109.27:2222
116.75.58.209:443
176.202.45.209:443
50.68.204.71:995
89.114.140.100:443
50.68.204.71:993
181.118.183.109:443
96.56.197.26:2222
78.130.215.67:443
41.62.162.197:443
86.236.114.212:2222
70.28.50.223:32100
70.28.50.223:3389
72.205.104.134:443
86.208.35.220:2222
102.157.31.224:443
109.153.252.176:2222
103.212.19.254:995
217.165.234.249:443
178.175.187.254:443
109.218.108.3:2222
197.14.179.187:443
162.248.14.107:443
24.206.27.39:443
76.170.252.153:995
213.91.235.146:443
92.9.45.20:2222
12.172.173.82:2087
122.184.143.85:443
173.18.122.24:443
92.97.119.138:2222
112.222.83.147:6881
46.24.47.243:995
184.182.66.109:443
70.112.206.5:443
92.239.81.124:443
81.229.117.95:2222
72.134.124.16:443
47.34.30.133:443
92.186.69.229:2222
35.143.97.145:995
87.220.204.177:2222
188.28.72.118:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exewermgr.exepid Process 4612 rundll32.exe 4612 rundll32.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe 2072 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid Process 4612 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exewermgr.exedescription pid Process procid_target PID 5032 wrote to memory of 4612 5032 rundll32.exe 84 PID 5032 wrote to memory of 4612 5032 rundll32.exe 84 PID 5032 wrote to memory of 4612 5032 rundll32.exe 84 PID 4612 wrote to memory of 2072 4612 rundll32.exe 85 PID 4612 wrote to memory of 2072 4612 rundll32.exe 85 PID 4612 wrote to memory of 2072 4612 rundll32.exe 85 PID 4612 wrote to memory of 2072 4612 rundll32.exe 85 PID 4612 wrote to memory of 2072 4612 rundll32.exe 85 PID 2072 wrote to memory of 2076 2072 wermgr.exe 86 PID 2072 wrote to memory of 2076 2072 wermgr.exe 86 PID 2072 wrote to memory of 2076 2072 wermgr.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\faba2931f2ed32d7604283aa0be76c9699e4866a438ff092c3134f9f87571409.dll,Time1⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\faba2931f2ed32d7604283aa0be76c9699e4866a438ff092c3134f9f87571409.dll,Time2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\ping.exeping -n 3 yahoo.com4⤵
- Runs ping.exe
PID:2076
-
-
-