Overview

overview

10

Static

static

3

4000hz.dll

windows7-x64

10

4000hz.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    82s
  • max time network
    84s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/06/2023, 11:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4000hz.dll

  • Size

    1.2MB

  • MD5

    3106a030a6f3083be7e5809727687e4b

  • SHA1

    dcf81a4b10c7d6122fc68253172fef4cf59aebbf

  • SHA256

    81e49a38bf964c207c561656295ec4d349c40239342fa59ed761cb4efad9490d

  • SHA512

    395e086eb3dee1823c2dc2a608bde147387185a889207212c3c9cc29d092ac623ea572c83753deb52d581bfabc3e354a263474a8e2b5669ea4b4b1741eef297a

  • SSDEEP

    24576:KGSbIuGSom9C0k1HH1cqj06uPi2bro8nuuDYmc1WpFgiYnGn6AW:Kf8r9W01Gn6

Score
10/10
qakbotbb321686908761bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.1374

Botnet

BB32

Campaign

1686908761

C2

86.176.144.175:2222

86.248.228.57:2078

88.171.156.150:50000

183.87.163.165:443

45.201.208.87:443

74.12.147.205:2222

96.87.28.170:2222

70.28.50.223:32100

220.79.238.82:443

12.172.173.82:995

45.2.61.134:3389

70.160.67.203:443

103.141.50.45:995

88.126.94.4:50000

70.28.50.223:3389

142.181.206.222:2222

51.37.181.9:443

223.166.13.95:995

162.248.14.107:443

95.45.50.93:2222

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4000hz.dll,must
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5084
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\4000hz.dll,must
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/748-133-0x0000000000E30000-0x0000000000E33000-memory.dmp

    Filesize

    12KB

    Download

  • memory/748-134-0x00000000028F0000-0x0000000002914000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4804-139-0x0000000000B20000-0x0000000000B22000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4804-140-0x0000000000AF0000-0x0000000000B14000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4804-146-0x0000000000AF0000-0x0000000000B14000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4804-147-0x0000000000AF0000-0x0000000000B14000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4804-148-0x0000000000AF0000-0x0000000000B14000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4804-149-0x0000000000AF0000-0x0000000000B14000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4804-150-0x0000000000AF0000-0x0000000000B14000-memory.dmp

    Filesize

    144KB

    Download