Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

1267da2579...fc.dll

windows7-x64

7

1267da2579...fc.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/02/2024, 10:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1267da257994e424d5a3c7c431898ec2c7c748b354f231ebb07e5e4ccaa0eafc.dll

  • Size

    314KB

  • MD5

    30a2fde7780e4928490777897af72057

  • SHA1

    a6755dbc251fddb523e1d8762040108aa5198f8e

  • SHA256

    1267da257994e424d5a3c7c431898ec2c7c748b354f231ebb07e5e4ccaa0eafc

  • SHA512

    89da2592e70ba74a7e96f213dfa13c67085cd03cd2e763e404338d174d09de2e7dafce77c663056e9cf3a966e527bcb8fc20a2a8e8dd0ac316c9dc95b08e9be0

  • SSDEEP

    6144:VXMURcNLpyXU9W5rulKJQ8n7fgK3RnHV2HoS:BN2NNyXUXM7fgK3RnHV2HoS

Score
10/10
qakbotbb241681985211bankerstealertrojanupx

Malware Config

Extracted

Family

qakbot

Version

404.1001

Botnet

BB24

Campaign

1681985211

C2

12.172.173.82:20

187.199.85.154:32103

96.56.197.26:2078

197.1.229.119:443

90.104.151.37:2222

90.55.106.37:2222

92.186.69.229:2222

92.136.62.50:2222

70.112.206.5:443

77.126.185.173:443

96.56.197.26:2083

89.36.206.220:995

93.150.183.229:2222

45.246.235.177:995

92.9.45.20:2222

92.154.17.149:2222

88.126.94.4:50000

176.202.45.209:443

91.35.212.133:995

12.172.173.82:50001
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1267da257994e424d5a3c7c431898ec2c7c748b354f231ebb07e5e4ccaa0eafc.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4052
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\1267da257994e424d5a3c7c431898ec2c7c748b354f231ebb07e5e4ccaa0eafc.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:5100
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1272
        • C:\Windows\SysWOW64\ping.exe
          ping -n 3 yahoo.com
          4⤵
          • Runs ping.exe
          PID:528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1272-13-0x0000000000C90000-0x0000000000CB4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1272-14-0x0000000000C90000-0x0000000000CB4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1272-20-0x0000000000C90000-0x0000000000CB4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1272-18-0x0000000000C90000-0x0000000000CB4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1272-8-0x0000000000C90000-0x0000000000CB4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1272-9-0x0000000000C90000-0x0000000000CB4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1272-16-0x0000000000C90000-0x0000000000CB4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1272-15-0x0000000000C90000-0x0000000000CB4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1272-11-0x0000000000C90000-0x0000000000CB4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5100-0-0x0000000063A80000-0x0000000063B63000-memory.dmp

    Filesize

    908KB

    Download

  • memory/5100-10-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5100-12-0x0000000063A80000-0x0000000063B63000-memory.dmp

    Filesize

    908KB

    Download

  • memory/5100-1-0x0000000002090000-0x0000000002093000-memory.dmp

    Filesize

    12KB

    Download

  • memory/5100-7-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5100-2-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download