Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

3.dll

windows7-x64

10

3.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/05/2023, 07:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3.dll

  • Size

    155KB

  • MD5

    8ef4f8378e46810e6fee986edd2ab86e

  • SHA1

    10ddd3259795fe6ec44cc9ce46626682ea10aab9

  • SHA256

    e531467aa967ee9d535e479633257a583ee655acd1c53618ecbaf44731bb9af8

  • SHA512

    19c7c556e092a8b4ae0707e89e54400f65b209da8ad4974b92138cceca1d7d593b56b06f81f58f1f1a712377b3cd2a3ef138b5d2ff89b7893ae2e7b251d4dc1f

  • SSDEEP

    3072:yraaktuZFO86/lFIYAwJ96VFHT8TBffkyH:0bO8El+9wJYVFHT8TB3f

Score
10/10
qakbotnotset1681806702bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.999

Botnet

notset

Campaign

1681806702

C2

67.10.2.240:995

172.248.42.122:443

12.172.173.82:21

76.86.31.59:443

24.139.11.137:443

74.66.134.24:443

86.178.33.125:2222

198.2.51.242:993

124.246.122.199:2222

50.68.204.71:995

12.172.173.82:465

184.182.66.109:443

105.184.209.7:995

100.6.31.96:443

139.226.47.229:995

175.156.65.126:2222

161.142.104.40:995

122.184.143.85:443

125.99.69.178:443

86.99.49.64:2222
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\3.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1108
        • C:\Windows\SysWOW64\ping.exe
          ping -n 3 yahoo.com
          4⤵
          • Runs ping.exe
          PID:232

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1108-133-0x0000000000380000-0x00000000003A4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1108-135-0x0000000000380000-0x00000000003A4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1108-136-0x0000000000380000-0x00000000003A4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1108-137-0x0000000000380000-0x00000000003A4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1108-138-0x0000000000380000-0x00000000003A4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1108-139-0x0000000000380000-0x00000000003A4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1108-141-0x0000000000380000-0x00000000003A4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1108-143-0x0000000000380000-0x00000000003A4000-memory.dmp

    Filesize

    144KB

    Download