Malware Analysis Report

2024-11-16 13:24

Sample ID 241007-23bgla1eqg
Target 2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot
SHA256 db369ea307634c1a7260bb47a42329ee8376138fd02f818aed86a2b6c651a022
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db369ea307634c1a7260bb47a42329ee8376138fd02f818aed86a2b6c651a022

Threat Level: Known bad

The file 2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas family

Urelas

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 23:05

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 23:05

Reported

2024-10-07 23:15

Platform

win7-20240903-en

Max time kernel

150s

Max time network

74s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sander.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sander.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe C:\Users\Admin\AppData\Local\Temp\sander.exe
PID 1656 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe C:\Users\Admin\AppData\Local\Temp\sander.exe
PID 1656 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe C:\Users\Admin\AppData\Local\Temp\sander.exe
PID 1656 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe C:\Users\Admin\AppData\Local\Temp\sander.exe
PID 1656 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\sander.exe C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
PID 2524 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\sander.exe C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
PID 2524 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\sander.exe C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
PID 2524 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\sander.exe C:\Users\Admin\AppData\Local\Temp\ctfmom.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe"

C:\Users\Admin\AppData\Local\Temp\sander.exe

"C:\Users\Admin\AppData\Local\Temp\sander.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "

C:\Users\Admin\AppData\Local\Temp\ctfmom.exe

"C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"

Network

Country Destination Domain Proto
KR 121.88.5.183:11300 tcp
KR 121.88.5.184:11170 tcp
KR 112.223.217.101:11300 tcp

Files

memory/1656-0-0x0000000001320000-0x0000000001803000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

MD5 000d2b1cf3fab58bbf40ee1924912157
SHA1 32929a141d564caf2a9a259f55d2c339e615e310
SHA256 cb9dac547745cba126c935f8338edd971469b52044c0f214aeda33c6ecc2248c
SHA512 4aa086ad7517dd417258faa08f9a52396fabf4e4c0dde46326b5690c1a9c2393671ad58a0699b7cee7c440fa63b9ef7f291edc2a3da017cf38556fb7bf26a009

memory/1656-16-0x0000000001320000-0x0000000001803000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sander.exe

MD5 b61614d6bf18e51a52ffac3b66cf8b29
SHA1 34da0b4ded510794e82bdfe58b0e66256efc7389
SHA256 6237fad677f82b8774196b522d810030f4e50bad1b9a77e2df36b6a43ee716cf
SHA512 2008156381ebc17d98f7ae533110149d02b75b0574cedc9a9a6b16a55322e6ca5e24773de80fb6141b9ff6ace85b470245778ef93ebb8f077c5d8632dfd9b7c8

memory/2524-17-0x00000000013E0000-0x00000000018C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 04113afab96ff36e7da4cabf336079cf
SHA1 2ab6a01f123c1ef4227cb134612749b67a237bf6
SHA256 8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16
SHA512 68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9

memory/2524-20-0x00000000013E0000-0x00000000018C3000-memory.dmp

memory/2524-25-0x00000000012F0000-0x0000000001391000-memory.dmp

\Users\Admin\AppData\Local\Temp\ctfmom.exe

MD5 ee33d97dd90cd6987abbbe6e46e0efbb
SHA1 4c5f46e53ade4d6111d6e955f691b93614b0bd58
SHA256 71c0d27c9d69a096307e445168e9f45031c73d157c057d83213fd8da9af6012c
SHA512 7a276a3e85b0cb5cb942f8731a46626fb9223db58927ae6cca2a4c2c3d633872fd4c75918a4455113eea7c02d126750c56dc3b6af0d12bfb00de6dbb89326a88

memory/2524-28-0x00000000013E0000-0x00000000018C3000-memory.dmp

memory/2028-29-0x00000000002F0000-0x0000000000391000-memory.dmp

memory/2028-32-0x00000000002F0000-0x0000000000391000-memory.dmp

memory/2028-33-0x00000000002F0000-0x0000000000391000-memory.dmp

memory/2028-34-0x00000000002F0000-0x0000000000391000-memory.dmp

memory/2028-35-0x00000000002F0000-0x0000000000391000-memory.dmp

memory/2028-36-0x00000000002F0000-0x0000000000391000-memory.dmp

memory/2028-37-0x00000000002F0000-0x0000000000391000-memory.dmp

memory/2028-38-0x00000000002F0000-0x0000000000391000-memory.dmp

memory/2028-39-0x00000000002F0000-0x0000000000391000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-07 23:05

Reported

2024-10-08 10:59

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sander.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sander.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sander.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe"

C:\Users\Admin\AppData\Local\Temp\sander.exe

"C:\Users\Admin\AppData\Local\Temp\sander.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "

C:\Users\Admin\AppData\Local\Temp\ctfmom.exe

"C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
KR 121.88.5.183:11300 tcp
KR 121.88.5.184:11170 tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
KR 112.223.217.101:11300 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

memory/4240-0-0x0000000000480000-0x0000000000963000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sander.exe

MD5 abe78ecc684466dd762e28ec075b922a
SHA1 2dd097ac03a1a61b38fa85d48cdd8eb01cd4588d
SHA256 6f8f312a3c33e03472b48e1ddea55eae6ee790f3d9524345af0a7260ef5ea47c
SHA512 cb3f85602fc0d8cd9a9aa732633d2e01be9de577dd5a45ba6e723a8410d73bb8aa9d44cdc236f4d044d786952f48eac826573a95d275c9fe2bbec1cb3061a637

memory/4052-11-0x00000000001D0000-0x00000000006B3000-memory.dmp

memory/4240-14-0x0000000000480000-0x0000000000963000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

MD5 000d2b1cf3fab58bbf40ee1924912157
SHA1 32929a141d564caf2a9a259f55d2c339e615e310
SHA256 cb9dac547745cba126c935f8338edd971469b52044c0f214aeda33c6ecc2248c
SHA512 4aa086ad7517dd417258faa08f9a52396fabf4e4c0dde46326b5690c1a9c2393671ad58a0699b7cee7c440fa63b9ef7f291edc2a3da017cf38556fb7bf26a009

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 04113afab96ff36e7da4cabf336079cf
SHA1 2ab6a01f123c1ef4227cb134612749b67a237bf6
SHA256 8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16
SHA512 68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9

memory/4052-17-0x00000000001D0000-0x00000000006B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ctfmom.exe

MD5 206994a75be232089e38112662f3463b
SHA1 d20fbd33f58ecbf598ccff1c861e964cbde42f58
SHA256 d85f3eca12c3ab019c027505626ff664734669319ec562b6126774a44b5f9ac1
SHA512 76e97b331a009e887187972e5a074cb07e0bc1d1144037900cb928c318e4bf73766e1c823e9fff5be61af028e36104c96a8697fb52990e8b5435c89ebba34a19

memory/3588-26-0x0000000000C50000-0x0000000000CF1000-memory.dmp

memory/3588-28-0x0000000000C50000-0x0000000000CF1000-memory.dmp

memory/3588-31-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

memory/4052-27-0x00000000001D0000-0x00000000006B3000-memory.dmp

memory/3588-32-0x0000000000C50000-0x0000000000CF1000-memory.dmp

memory/3588-33-0x0000000000C50000-0x0000000000CF1000-memory.dmp

memory/3588-34-0x0000000000C50000-0x0000000000CF1000-memory.dmp

memory/3588-35-0x0000000000C50000-0x0000000000CF1000-memory.dmp

memory/3588-36-0x0000000000C50000-0x0000000000CF1000-memory.dmp

memory/3588-37-0x0000000000C50000-0x0000000000CF1000-memory.dmp

memory/3588-38-0x0000000000C50000-0x0000000000CF1000-memory.dmp

memory/3588-39-0x0000000000C50000-0x0000000000CF1000-memory.dmp

memory/3588-40-0x0000000000C50000-0x0000000000CF1000-memory.dmp