Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2023 15:02
Static task
static1
Behavioral task
behavioral1
Sample
qbot.bat
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
qbot.bat
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
qbot.dll
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
qbot.dll
Resource
win10v2004-20230220-en
General
-
Target
qbot.dll
-
Size
458KB
-
MD5
8c836e7cbb1be6066855c419822a1437
-
SHA1
6793557ed4c894fd8aa101eacb121b42fcaea3f9
-
SHA256
c219d1d518dde48b751f44298530fef731cfb1c0abf969a334bda025423ba162
-
SHA512
2930862c776b03241d0de60c9d6f763d90b163ab1c4e077be93345ad7df5f6d625fff36e3b8580b334ab873740c66a92c7acd1c027f7d7d0854fd4d89bc699f1
-
SSDEEP
12288:1BBzPfDyNMCLzaf1jhk6rOB4VzW9PXNYL5FHnKaWl5N26tw:lfeNMCn0j5rjI1NO51SI6e
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3012 1016 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2100 wrote to memory of 1016 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 1016 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 1016 2100 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\qbot.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\qbot.dll,#12⤵PID:1016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 6003⤵
- Program crash
PID:3012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1016 -ip 10161⤵PID:4028