Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 10:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305.dll
Resource
win7-20240220-en
windows7-x64
4 signatures
150 seconds
General
-
Target
12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305.dll
-
Size
898KB
-
MD5
88bbf2a743baaf81f7a312be61f90d76
-
SHA1
3719aabc29d5eb58d5d2d2a37066047c67bfc2c6
-
SHA256
12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305
-
SHA512
b01f955eb5f840e01f1f65d5f19c0963e155b1f8d03b4e0720eccbd397cc9aee9a19a63000719e3cf8f580573a335bd61f39fe1261f44e1d5371a9c695b60b70
-
SSDEEP
24576:qTm4c0TXhxdmVQGn88R7XM3Ljluc9KEaJqCjh0LmK8:6jP8Q13LjluSrCj+q/
Malware Config
Extracted
Family
qakbot
Botnet
tchk07
Campaign
1702975817
C2
116.203.56.11:443
109.107.181.8:443
Attributes
-
camp_date
2023-12-19 08:50:17 +0000 UTC
Signatures
-
Detect Qakbot Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1984-1-0x00000000001B0000-0x00000000001DD000-memory.dmp family_qakbot_v5 behavioral1/memory/1984-0-0x0000000001D30000-0x0000000001D5F000-memory.dmp family_qakbot_v5 behavioral1/memory/1984-5-0x0000000001D60000-0x0000000001D8E000-memory.dmp family_qakbot_v5 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid Process 1984 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 1984 wrote to memory of 888 1984 rundll32.exe 29 PID 1984 wrote to memory of 888 1984 rundll32.exe 29 PID 1984 wrote to memory of 888 1984 rundll32.exe 29 PID 1984 wrote to memory of 888 1984 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe2⤵PID:888
-