Overview

overview

10

Static

static

3

972d75aeda...5a.dll

windows7-x64

10

972d75aeda...5a.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2023 20:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    972d75aeda58274d396e5adf1ad35e5a.dll

  • Size

    253KB

  • MD5

    972d75aeda58274d396e5adf1ad35e5a

  • SHA1

    186d436bbdea3b692ac74886570071647e8e0456

  • SHA256

    d53b819e793ac21a76cfb93afd3a5ae424d629dbfcb61d48f3a32a2e8e18d438

  • SHA512

    b3078a5513e88de447e1bbef16ea385bfa95b0591035dbbebf780b42333c53abe1e3ab77ffb0d684ce5d914662dc529b4ee9c98d11821d806e9ba0019515b05d

  • SSDEEP

    3072:0PQdEOItJPxluIalXQOr+nxQNBO0jTL23i7eBnaVImWeqSR4G78SYSuDSMv6UWv:MUr+nxQNBO0jf2Ee5aSzeF4DSY7Dh6R

Score
10/10
qakbotobama1051632819007bankerevasionstealertrojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

obama105

Campaign

1632819007

C2

120.150.218.241:995

95.77.223.148:443

185.250.148.74:443

181.118.183.94:443

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

75.66.88.33:443
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Loads dropped DLL 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\972d75aeda58274d396e5adf1ad35e5a.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\972d75aeda58274d396e5adf1ad35e5a.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1236
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn xiimqeq /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\972d75aeda58274d396e5adf1ad35e5a.dll\"" /SC ONCE /Z /ST 11:50 /ET 12:02
          4⤵
          • Creates scheduled task(s)
          PID:3220
  • C:\Windows\system32\regsvr32.exe
    regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\972d75aeda58274d396e5adf1ad35e5a.dll"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Windows\SysWOW64\regsvr32.exe
      -s "C:\Users\Admin\AppData\Local\Temp\972d75aeda58274d396e5adf1ad35e5a.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:4148
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Uoulsb" /d "0"
          4⤵
          • Windows security bypass
          PID:1604
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Xabweuw" /d "0"
          4⤵
          • Windows security bypass
          PID:3344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\972d75aeda58274d396e5adf1ad35e5a.dll
    Filesize

    253KB

    MD5

    972d75aeda58274d396e5adf1ad35e5a

    SHA1

    186d436bbdea3b692ac74886570071647e8e0456

    SHA256

    d53b819e793ac21a76cfb93afd3a5ae424d629dbfcb61d48f3a32a2e8e18d438

    SHA512

    b3078a5513e88de447e1bbef16ea385bfa95b0591035dbbebf780b42333c53abe1e3ab77ffb0d684ce5d914662dc529b4ee9c98d11821d806e9ba0019515b05d

    Download Submit
  • memory/1236-4-0x0000000000A00000-0x0000000000A21000-memory.dmp
    Filesize

    132KB

    Download
  • memory/1236-5-0x0000000000A00000-0x0000000000A21000-memory.dmp
    Filesize

    132KB

    Download
  • memory/1236-0-0x0000000000A00000-0x0000000000A21000-memory.dmp
    Filesize

    132KB

    Download
  • memory/1236-6-0x0000000000A00000-0x0000000000A21000-memory.dmp
    Filesize

    132KB

    Download
  • memory/1236-8-0x0000000000A00000-0x0000000000A21000-memory.dmp
    Filesize

    132KB

    Download
  • memory/1652-13-0x0000000010000000-0x0000000016278000-memory.dmp
    Filesize

    98.5MB

    Download
  • memory/2192-1-0x0000000010000000-0x0000000016278000-memory.dmp
    Filesize

    98.5MB

    Download
  • memory/4148-12-0x0000000000330000-0x0000000000351000-memory.dmp
    Filesize

    132KB

    Download
  • memory/4148-15-0x0000000000330000-0x0000000000351000-memory.dmp
    Filesize

    132KB

    Download
  • memory/4148-16-0x0000000000330000-0x0000000000351000-memory.dmp
    Filesize

    132KB

    Download
  • memory/4148-17-0x0000000000330000-0x0000000000351000-memory.dmp
    Filesize

    132KB

    Download
  • memory/4148-19-0x0000000000330000-0x0000000000351000-memory.dmp
    Filesize

    132KB

    Download