Analysis

  • max time kernel
    76s
  • max time network
    77s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2023 01:28

General

  • Target

    sneakyboris.dll

  • Size

    899KB

  • MD5

    ca2f9b47bbb7d59a2a108be4eb01fe5a

  • SHA1

    25faba56b6087c64e14c4fb0c204ed9f45f230d0

  • SHA256

    fc3e6c67d824970f52cbc4c85a18ddf6f03afe3d5af5279c633b02c0b96f2ae0

  • SHA512

    3e236c17ed14950aa5584688682c9bd451bebeb5a69de41e77a26fd93d51cdd040d7339c5b895e86ba1208bfdf52ba992ccfc12a4876fee2df9a60ff4e6a0e46

  • SSDEEP

    24576:sHA2XMYABs772W/8vLc/9sgR+OVnh8gt42vCkzeztwPOfQWy5UuxVFLqsl:UMYABC8vLc/2jA8gpUuxVFLq6

Malware Config

Extracted

Family

qakbot

Version

404.1035

Botnet

obama261

Campaign

1683268508

C2

174.4.89.3:443

23.30.173.133:443

70.51.136.238:2222

68.173.170.110:8443

47.21.51.138:443

70.64.77.115:443

76.16.49.134:443

64.121.161.102:443

108.190.115.159:443

98.19.224.125:995

12.172.173.82:465

147.219.4.194:443

86.250.12.86:2222

188.176.171.3:443

88.126.94.4:50000

87.202.101.164:50000

74.92.243.115:50000

98.176.5.56:443

198.2.51.242:993

75.98.154.19:443

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\sneakyboris.dll,print
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\sneakyboris.dll,print
      2⤵
        PID:1264
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\system32\rundll32.exe
        rundll32.exe sneakyboris.dll,Time
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1084
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe sneakyboris.dll,Time
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:384
          • C:\Windows\SysWOW64\wermgr.exe
            C:\Windows\SysWOW64\wermgr.exe
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4752
            • C:\Windows\SysWOW64\ping.exe
              ping -n 3 yahoo.com
              5⤵
              • Runs ping.exe
              PID:2476

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/384-133-0x00000000005A0000-0x00000000005A3000-memory.dmp

      Filesize

      12KB

    • memory/384-134-0x0000000010000000-0x0000000010024000-memory.dmp

      Filesize

      144KB

    • memory/4752-139-0x00000000004E0000-0x0000000000504000-memory.dmp

      Filesize

      144KB

    • memory/4752-140-0x00000000004E0000-0x0000000000504000-memory.dmp

      Filesize

      144KB

    • memory/4752-141-0x00000000004E0000-0x0000000000504000-memory.dmp

      Filesize

      144KB

    • memory/4752-142-0x00000000004E0000-0x0000000000504000-memory.dmp

      Filesize

      144KB

    • memory/4752-143-0x00000000004E0000-0x0000000000504000-memory.dmp

      Filesize

      144KB

    • memory/4752-144-0x00000000004E0000-0x0000000000504000-memory.dmp

      Filesize

      144KB

    • memory/4752-145-0x00000000004E0000-0x0000000000504000-memory.dmp

      Filesize

      144KB

    • memory/4752-147-0x00000000004E0000-0x0000000000504000-memory.dmp

      Filesize

      144KB