Analysis
-
max time kernel
150s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-06-2023 11:07
Static task
static1
Behavioral task
behavioral1
Sample
distantly.dll
Resource
win7-20230220-en
General
-
Target
distantly.dll
-
Size
682KB
-
MD5
5f1e08625d65bb93e8bf4611d2ee9070
-
SHA1
56fc9eb319ac902ac7e26357bd4cc598a3644d38
-
SHA256
7bfa0fc80cf1b4dc110356aad858ed3638985dce794286dfe9a25ff3869fed02
-
SHA512
94de1f8c3da8439f6bee529cf6e4d10979ca757af0b30f27b7d9f2d0dbbd18051c9b49e3c7470c2c271bbf1221986497e266168ff9a2d47d5b47924eac7fd011
-
SSDEEP
12288:dDxy+2MIBYYimb3oG11xfTUOz3dluiIIN:Vg+2MIBYkb4G11hTsi
Malware Config
Extracted
qakbot
404.1346
BB30
1685686808
86.173.2.12:2222
92.9.45.20:2222
100.4.163.158:2222
213.64.33.92:2222
75.98.154.19:443
78.192.109.105:2222
88.126.94.4:50000
70.28.50.223:2083
92.154.17.149:2222
24.234.220.88:993
87.252.106.39:995
174.4.89.3:443
12.172.173.82:20
90.29.86.138:2222
70.160.67.203:443
223.166.13.95:995
184.181.75.148:443
95.45.50.93:2222
201.143.215.69:443
64.121.161.102:443
2.82.8.80:443
188.28.19.84:443
81.101.185.146:443
79.77.142.22:2222
84.215.202.8:443
183.87.163.165:443
74.12.147.139:2078
74.12.147.139:2222
74.12.147.139:2083
70.28.50.223:2078
94.204.202.106:443
87.221.153.182:2222
70.28.50.223:2087
24.234.220.88:990
2.49.63.160:2222
72.205.104.134:443
199.27.66.213:443
83.249.198.100:2222
90.104.151.37:2222
116.75.63.183:443
117.195.17.148:993
77.126.99.230:443
45.62.70.33:443
24.234.220.88:465
203.109.44.236:995
75.109.111.89:443
161.142.103.187:995
77.86.98.236:443
147.147.30.126:2222
124.246.122.199:2222
103.123.223.133:443
180.151.19.13:2078
176.142.207.63:443
12.172.173.82:32101
103.140.174.20:2222
70.50.83.216:2222
12.172.173.82:465
38.2.18.164:443
93.187.148.45:995
70.64.77.115:443
12.172.173.82:21
70.49.205.198:2222
27.0.48.233:443
12.172.173.82:50001
83.110.223.61:443
103.141.50.43:995
85.101.239.116:443
103.42.86.42:995
92.1.170.110:995
81.229.117.95:2222
124.122.47.148:443
103.212.19.254:995
103.139.242.6:443
125.99.76.102:443
50.68.186.195:443
47.205.25.170:443
12.172.173.82:993
12.172.173.82:22
70.28.50.223:32100
79.168.224.165:2222
121.121.108.120:995
69.160.121.6:61201
200.84.211.255:2222
201.244.108.183:995
93.187.148.45:443
85.61.165.153:2222
184.182.66.109:443
175.156.217.7:2222
70.28.50.223:3389
114.143.176.236:443
65.95.141.84:2222
80.6.50.34:443
12.172.173.82:2087
47.199.241.39:443
66.241.183.99:443
113.11.92.30:443
186.75.95.6:443
125.99.69.178:443
109.130.247.84:2222
96.56.197.26:2222
70.50.1.252:2222
91.160.70.68:32100
67.70.120.249:2222
209.171.160.69:995
98.163.227.79:443
176.133.4.230:995
24.234.220.88:995
45.62.75.250:443
200.44.198.47:2222
173.17.45.60:443
5.192.141.228:2222
184.63.133.131:995
78.82.143.154:2222
73.88.173.113:443
181.4.225.225:443
24.234.220.88:443
174.58.146.57:443
Signatures
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exewermgr.exepid process 1328 rundll32.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe 1368 wermgr.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1064 wrote to memory of 1328 1064 rundll32.exe rundll32.exe PID 1064 wrote to memory of 1328 1064 rundll32.exe rundll32.exe PID 1064 wrote to memory of 1328 1064 rundll32.exe rundll32.exe PID 1064 wrote to memory of 1328 1064 rundll32.exe rundll32.exe PID 1064 wrote to memory of 1328 1064 rundll32.exe rundll32.exe PID 1064 wrote to memory of 1328 1064 rundll32.exe rundll32.exe PID 1064 wrote to memory of 1328 1064 rundll32.exe rundll32.exe PID 1328 wrote to memory of 1368 1328 rundll32.exe wermgr.exe PID 1328 wrote to memory of 1368 1328 rundll32.exe wermgr.exe PID 1328 wrote to memory of 1368 1328 rundll32.exe wermgr.exe PID 1328 wrote to memory of 1368 1328 rundll32.exe wermgr.exe PID 1328 wrote to memory of 1368 1328 rundll32.exe wermgr.exe PID 1328 wrote to memory of 1368 1328 rundll32.exe wermgr.exe PID 1328 wrote to memory of 1368 1328 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\distantly.dll,next1⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\distantly.dll,next2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368
-
-