Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4000hz.dll

windows7-x64

10

4000hz.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    79s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    16/06/2023, 11:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4000hz.dll

  • Size

    1.2MB

  • MD5

    3106a030a6f3083be7e5809727687e4b

  • SHA1

    dcf81a4b10c7d6122fc68253172fef4cf59aebbf

  • SHA256

    81e49a38bf964c207c561656295ec4d349c40239342fa59ed761cb4efad9490d

  • SHA512

    395e086eb3dee1823c2dc2a608bde147387185a889207212c3c9cc29d092ac623ea572c83753deb52d581bfabc3e354a263474a8e2b5669ea4b4b1741eef297a

  • SSDEEP

    24576:KGSbIuGSom9C0k1HH1cqj06uPi2bro8nuuDYmc1WpFgiYnGn6AW:Kf8r9W01Gn6

Score
10/10
qakbotbb321686908761bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.1374

Botnet

BB32

Campaign

1686908761

C2

86.176.144.175:2222

86.248.228.57:2078

88.171.156.150:50000

183.87.163.165:443

45.201.208.87:443

74.12.147.205:2222

96.87.28.170:2222

70.28.50.223:32100

220.79.238.82:443

12.172.173.82:995

45.2.61.134:3389

70.160.67.203:443

103.141.50.45:995

88.126.94.4:50000

70.28.50.223:3389

142.181.206.222:2222

51.37.181.9:443

223.166.13.95:995

162.248.14.107:443

95.45.50.93:2222

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4000hz.dll,must
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\4000hz.dll,must
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/864-61-0x00000000000C0000-0x00000000000E4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/864-60-0x00000000000F0000-0x00000000000F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/864-67-0x00000000000C0000-0x00000000000E4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/864-68-0x00000000000C0000-0x00000000000E4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/864-69-0x00000000000C0000-0x00000000000E4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/864-70-0x00000000000C0000-0x00000000000E4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/864-71-0x00000000000C0000-0x00000000000E4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1168-54-0x0000000000180000-0x0000000000183000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1168-55-0x00000000001F0000-0x0000000000214000-memory.dmp

    Filesize

    144KB

    Download