Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2023 19:36

General

  • Target

    3d696100adab4005b28c06b231ab5096c999420794d39bb83f824a144ee11a81.dll

  • Size

    458KB

  • MD5

    0c1fc94f8650dd40505cc6b1a820a074

  • SHA1

    5c6a4f0967826c9ac7ba0b12995a4f65d5221af6

  • SHA256

    3d696100adab4005b28c06b231ab5096c999420794d39bb83f824a144ee11a81

  • SHA512

    bc1ceb92aefa17279c08376fd9933ee462a80649cefab84c4e6293f6d36488cbd7f004ac72be642d909d50c644d8cb4d38cac151566531a936ec3a4cac8247d5

  • SSDEEP

    12288:1BBzPfDyNMCLzaf1jhk6rOB4VzW9PXNYL5FHnKaWl5N26fw:lfeNMCn0j5rjI1NO51SI6Y

Malware Config

Extracted

Family

qakbot

Version

404.1358

Botnet

obama267

Campaign

1686127648

C2

161.142.100.114:995

116.75.63.15:443

125.99.76.102:443

93.187.148.45:443

79.168.224.165:2222

31.53.29.216:2222

103.123.223.133:443

62.35.230.21:995

124.149.143.189:2222

109.50.149.241:2222

86.222.101.244:2222

45.62.70.33:443

24.234.220.88:995

201.244.108.183:995

190.75.134.240:2222

103.212.19.254:995

184.182.66.109:443

64.121.161.102:443

178.175.187.254:443

94.59.123.30:2222

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3d696100adab4005b28c06b231ab5096c999420794d39bb83f824a144ee11a81.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\3d696100adab4005b28c06b231ab5096c999420794d39bb83f824a144ee11a81.dll,#1
      2⤵
        PID:4220
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 600
          3⤵
          • Program crash
          PID:1456
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4220 -ip 4220
      1⤵
        PID:1156
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:404
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:4228
          • C:\Windows\system32\rundll32.exe
            rundll32.exe 3.dll,menu
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4804
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32.exe 3.dll,menu
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:4140
              • C:\Windows\SysWOW64\wermgr.exe
                C:\Windows\SysWOW64\wermgr.exe
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:780

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/780-139-0x0000000000600000-0x0000000000602000-memory.dmp

          Filesize

          8KB

        • memory/780-140-0x00000000003D0000-0x00000000003F4000-memory.dmp

          Filesize

          144KB

        • memory/780-146-0x00000000003D0000-0x00000000003F4000-memory.dmp

          Filesize

          144KB

        • memory/780-147-0x00000000003D0000-0x00000000003F4000-memory.dmp

          Filesize

          144KB

        • memory/780-148-0x00000000003D0000-0x00000000003F4000-memory.dmp

          Filesize

          144KB

        • memory/780-149-0x00000000003D0000-0x00000000003F4000-memory.dmp

          Filesize

          144KB

        • memory/780-150-0x00000000003D0000-0x00000000003F4000-memory.dmp

          Filesize

          144KB

        • memory/4140-133-0x0000000000620000-0x0000000000623000-memory.dmp

          Filesize

          12KB

        • memory/4140-134-0x0000000000D70000-0x0000000000D94000-memory.dmp

          Filesize

          144KB