next
Behavioral task
behavioral1
Sample
e40000.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
e40000.dll
Resource
win10v2004-20230221-en
General
-
Target
e40000.dll
-
Size
129KB
-
MD5
ac77c3f304a7b4b9c0384fc6528a701b
-
SHA1
790c8dbac00599f98b5832f98144db5b42337e83
-
SHA256
463158091de1c6daa60498bf425f6b66072c2836210b9d449192e170ef9e34ea
-
SHA512
4f187918fc3c035a2f6c2695955109149b9d97a4a886349ea69893e4fd472d1232d822419fdeb3a00690e6f40fd17a377f7797d21ac8bb9033f0402c0c7189ce
-
SSDEEP
3072:hST5hTsRkHO+fia51+MAevJ+mJfh18TBfwCKLx:OsRkOXa7+JevJJJfh18TBICW
Malware Config
Extracted
qakbot
404.1320
obama265
1685436052
103.42.86.42:995
174.4.89.3:443
161.142.103.187:995
78.160.146.127:443
84.35.26.14:995
12.172.173.82:20
70.28.50.223:2078
124.149.143.189:2222
70.160.67.203:443
186.64.67.30:443
103.123.223.133:443
94.207.104.225:443
89.114.140.100:443
213.64.33.61:2222
86.176.144.234:2222
72.134.124.16:443
47.34.30.133:443
109.50.149.241:2222
85.104.105.67:443
81.111.108.123:443
86.173.2.12:2222
188.28.19.84:443
41.228.224.161:995
12.172.173.82:50001
178.175.187.254:443
65.95.141.84:2222
205.237.67.69:995
83.110.223.61:443
193.253.100.236:2222
27.0.48.233:443
102.159.188.125:443
71.38.155.217:443
58.186.75.42:443
76.178.148.107:2222
70.28.50.223:2087
114.143.176.236:443
51.14.29.227:2222
59.28.84.65:443
173.88.135.179:443
103.144.201.56:2078
96.87.28.170:2222
105.184.103.97:995
176.142.207.63:443
151.62.238.176:443
12.172.173.82:32101
122.186.210.254:443
82.125.44.236:2222
84.108.200.161:443
76.16.49.134:443
70.28.50.223:32100
12.172.173.82:465
76.170.252.153:995
184.182.66.109:443
78.92.133.215:443
50.68.204.71:993
186.75.95.6:443
113.11.92.30:443
70.28.50.223:3389
98.145.23.67:443
85.57.212.13:3389
50.68.186.195:443
47.205.25.170:443
12.172.173.82:993
12.172.173.82:22
69.242.31.249:443
81.101.185.146:443
79.168.224.165:2222
75.143.236.149:443
14.192.241.76:995
86.195.14.72:2222
81.229.117.95:2222
220.240.164.182:443
73.29.92.128:443
12.172.173.82:21
96.56.197.26:2222
75.109.111.89:443
76.86.31.59:443
201.244.108.183:995
68.203.69.96:443
124.122.47.148:443
122.184.143.86:443
92.186.69.229:2222
70.28.50.223:2083
89.129.109.27:2222
147.147.30.126:2222
125.99.76.102:443
88.126.94.4:50000
151.65.167.77:443
86.132.236.117:443
92.154.17.149:2222
223.166.13.95:995
89.36.206.69:995
96.56.197.26:2083
78.18.105.11:443
82.127.153.75:2222
90.78.147.141:2222
82.131.141.209:443
183.87.163.165:443
92.9.45.20:2222
80.6.50.34:443
80.12.88.148:2222
69.133.162.35:443
172.115.17.50:443
95.45.50.93:2222
12.172.173.82:2087
103.140.174.20:2222
24.198.114.130:995
50.68.204.71:443
69.119.123.159:2222
64.121.161.102:443
2.82.8.80:443
184.181.75.148:443
70.112.206.5:443
198.2.51.242:993
2.36.64.159:2078
79.77.142.22:2222
84.215.202.8:443
147.219.4.194:443
116.74.164.81:443
Signatures
-
Qakbot family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource e40000.dll
Files
-
e40000.dll.dll windows x86
e691d2d770fea3e99dbc2a226b1d5802
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
msvcrt
_snprintf
memchr
malloc
_errno
_strtoi64
_vsnprintf
memset
qsort
_ftol2_sse
_vsnwprintf
free
_time64
strncpy
strchr
strtod
localeconv
memcpy
atol
kernel32
FindNextFileW
GetTickCount
SetThreadPriority
FlushFileBuffers
LocalAlloc
GetExitCodeProcess
GetSystemTimeAsFileTime
GetFileAttributesW
MultiByteToWideChar
SetCurrentDirectoryA
Sleep
lstrcmpiW
GetDriveTypeW
GetLastError
CreateDirectoryW
lstrcatA
CreateMutexW
GetCurrentThread
GetProcessId
DisconnectNamedPipe
lstrcmpA
K32GetModuleFileNameExW
MoveFileW
ExitThread
GetNumberFormatA
GetCurrentProcessId
SwitchToThread
GetModuleHandleW
GetProcAddress
HeapCreate
HeapFree
HeapAlloc
GetModuleHandleA
LoadLibraryA
GetCurrentProcess
lstrcatW
WideCharToMultiByte
FindFirstFileW
GetWindowsDirectoryW
SetFileAttributesW
lstrlenW
LoadLibraryW
FreeLibrary
GetCommandLineW
GetVersionExA
GetSystemInfo
GetCurrentDirectoryW
user32
CharUpperBuffA
CharUpperBuffW
shell32
CommandLineToArgvW
ole32
CoCreateInstance
CoInitializeEx
CoSetProxyBlanket
CoInitializeSecurity
oleaut32
SafeArrayGetLBound
SysFreeString
SysAllocString
VariantClear
SafeArrayGetUBound
SafeArrayDestroy
SafeArrayGetElement
Exports
Exports
Sections
.text Size: 97KB - Virtual size: 97KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 18KB - Virtual size: 17KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 8KB - Virtual size: 8KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 3KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ