Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2023 14:15
Static task
static1
Behavioral task
behavioral1
Sample
XyU8ZgqTP.dll
Resource
win7-20230220-en
General
-
Target
XyU8ZgqTP.dll
-
Size
627KB
-
MD5
8913a9551b5895bd57370f88274c80c2
-
SHA1
111d5ca894dc029d576a779a4b20ee5728a5db75
-
SHA256
0bb71786dd42fced85fd4d47da823753e83a5cb6af260bf67bb116905c8328d3
-
SHA512
684acadf678a8aee29df09c80d1f121474cc00d316b6f8407bc99e76f20ff7a54d3f1c6b3fdbcd56e494b07a1908fd83c57a3148970da839d6f4668820363e92
-
SSDEEP
12288:qzbDRgCdJy+vKjt/hp2JIdK6DOAj/di+I/dzAwuFQ5fC:qXVgoy+YdbKh6DOAjVi6wuFQ5fC
Malware Config
Extracted
qakbot
404.1038
BB27
1683811051
113.11.92.30:443
86.130.9.208:2222
27.109.19.90:2078
70.28.50.223:32100
89.129.109.27:2222
12.172.173.82:21
70.28.50.223:2087
200.93.26.107:2222
50.68.204.71:993
12.172.173.82:32101
173.88.135.179:443
70.28.50.223:3389
86.99.48.130:2222
67.219.197.94:443
76.64.99.251:2222
86.250.12.86:2222
136.35.241.159:443
69.157.243.204:2222
216.36.153.248:443
173.176.4.133:443
92.154.17.149:2222
178.152.124.169:443
83.114.60.6:2222
24.206.27.39:443
184.153.132.82:443
68.109.240.71:443
208.180.17.32:2222
109.159.119.82:2222
186.52.239.187:995
190.28.74.251:443
86.244.255.82:2222
12.172.173.82:993
50.68.204.71:995
50.68.204.71:443
96.56.197.26:2083
37.14.229.220:2222
162.248.14.107:443
186.64.67.41:443
70.28.50.223:2222
2.82.8.80:443
104.35.24.154:443
35.143.97.145:995
98.145.23.67:443
72.88.245.71:443
86.222.100.184:2222
69.158.56.94:2222
65.190.242.244:443
209.243.10.63:443
92.20.204.198:2222
47.16.75.99:2222
67.70.122.196:2222
62.35.230.21:995
70.24.104.146:2222
12.172.173.82:995
73.29.92.128:443
76.170.252.153:995
116.74.164.175:443
173.22.114.208:443
79.77.142.22:2222
103.123.223.171:443
12.172.173.82:22
12.172.173.82:2087
202.184.123.13:443
71.38.155.217:443
86.176.16.18:443
109.50.128.59:2222
99.230.89.236:2083
92.27.86.48:2222
81.224.201.143:2222
201.208.135.167:2222
66.191.69.18:995
103.42.86.42:995
102.158.154.97:443
70.160.67.203:443
37.14.97.206:2222
139.226.47.229:995
91.68.227.219:443
82.127.153.75:2222
85.104.105.67:443
69.133.162.35:443
43.243.215.210:443
66.35.125.74:2222
173.61.50.155:3389
70.28.50.223:2078
178.175.187.254:443
217.165.234.249:443
217.44.108.89:2222
212.70.98.236:2222
193.253.100.236:2222
84.216.198.201:6881
47.132.248.132:443
173.178.151.233:443
144.64.226.144:443
171.96.192.178:443
105.184.108.82:995
41.227.211.88:443
172.115.17.50:443
70.112.206.5:443
122.184.143.86:443
157.119.85.203:443
47.199.241.39:443
72.134.124.16:443
99.230.89.236:2078
125.99.76.102:443
76.178.148.107:2222
147.219.4.194:443
47.34.30.133:443
192.145.116.194:443
119.82.121.87:443
67.10.9.125:995
41.186.88.38:443
95.242.101.251:995
68.68.170.218:443
213.91.235.146:443
71.78.95.86:995
92.9.45.20:2222
81.229.117.95:2222
201.244.108.183:995
74.33.196.114:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2332 4872 WerFault.exe 84 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 4836 wrote to memory of 4872 4836 rundll32.exe 84 PID 4836 wrote to memory of 4872 4836 rundll32.exe 84 PID 4836 wrote to memory of 4872 4836 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\XyU8ZgqTP.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\XyU8ZgqTP.dll,#12⤵PID:4872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 6683⤵
- Program crash
PID:2332
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4872 -ip 48721⤵PID:444