Analysis

  • max time kernel
    600s
  • max time network
    564s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2023 18:08

General

  • Target

    66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67.dll

  • Size

    131KB

  • MD5

    c46fef76655df08967c3056cdbc67c15

  • SHA1

    5724e8f56359ef60b146a99c978224ddcbdb6b81

  • SHA256

    66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67

  • SHA512

    702d51ff95504797ac06d3569a07f8db3fd3835563f26dd11f9bf98b83438d2908a45223d6ecc2a1c11665241bce435836813ed5063612789e9f56996f447056

  • SSDEEP

    3072:hg0KGh5Z8j3EzihlFsUA9QJb4VMHT8TBff5BQ:dKGJGEz+lOB2JEVMHT8TB3bQ

Malware Config

Extracted

Family

qakbot

Version

404.1035

Botnet

obama261

Campaign

1683268508

C2

174.4.89.3:443

23.30.173.133:443

70.51.136.238:2222

68.173.170.110:8443

47.21.51.138:443

70.64.77.115:443

76.16.49.134:443

64.121.161.102:443

108.190.115.159:443

98.19.224.125:995

12.172.173.82:465

147.219.4.194:443

86.250.12.86:2222

188.176.171.3:443

88.126.94.4:50000

87.202.101.164:50000

74.92.243.115:50000

98.176.5.56:443

198.2.51.242:993

75.98.154.19:443

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Blocklisted process makes network request 7 IoCs
  • Program crash 3 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3884
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3272
        • C:\Windows\SysWOW64\ping.exe
          ping -n 3 yahoo.com
          4⤵
          • Runs ping.exe
          PID:4636
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
          PID:1772
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 352
            4⤵
            • Program crash
            PID:980
        • C:\Windows\SysWOW64\backgroundTaskHost.exe
          C:\Windows\SysWOW64\backgroundTaskHost.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4908
          • C:\Windows\SysWOW64\ping.exe
            ping -n 3 yahoo.com
            4⤵
            • Runs ping.exe
            PID:3480
        • C:\Windows\SysWOW64\backgroundTaskHost.exe
          C:\Windows\SysWOW64\backgroundTaskHost.exe
          3⤵
            PID:1744
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 288
              4⤵
              • Program crash
              PID:1344
          • C:\Windows\SysWOW64\dxdiag.exe
            C:\Windows\SysWOW64\dxdiag.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:5076
            • C:\Windows\SysWOW64\ping.exe
              ping -n 3 yahoo.com
              4⤵
              • Runs ping.exe
              PID:4992
          • C:\Windows\SysWOW64\dxdiag.exe
            C:\Windows\SysWOW64\dxdiag.exe
            3⤵
              PID:388
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 464
                4⤵
                • Program crash
                PID:4116
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1772 -ip 1772
          1⤵
            PID:3856
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1744 -ip 1744
            1⤵
              PID:696
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 388 -ip 388
              1⤵
                PID:3348

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/388-142-0x00000000003B0000-0x00000000003D4000-memory.dmp

                Filesize

                144KB

              • memory/1744-139-0x00000000005D0000-0x00000000005F4000-memory.dmp

                Filesize

                144KB

              • memory/1772-135-0x00000000012E0000-0x0000000001304000-memory.dmp

                Filesize

                144KB

              • memory/3272-133-0x0000000000AB0000-0x0000000000AD4000-memory.dmp

                Filesize

                144KB

              • memory/3272-134-0x0000000000AB0000-0x0000000000AD4000-memory.dmp

                Filesize

                144KB

              • memory/4908-136-0x0000000000A20000-0x0000000000A44000-memory.dmp

                Filesize

                144KB

              • memory/4908-137-0x0000000000A20000-0x0000000000A44000-memory.dmp

                Filesize

                144KB

              • memory/5076-140-0x00000000009C0000-0x00000000009E4000-memory.dmp

                Filesize

                144KB

              • memory/5076-141-0x00000000009C0000-0x00000000009E4000-memory.dmp

                Filesize

                144KB