qakbot | 1cdad75e7830e4ae946bb26c15be354676820710c2471d9ea6d24926fc0df86f

Analysis

max time kernel
150s
max time network
45s
platform
windows7_x64
resource
win7-20220331-en
submitted
07-04-2022 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fa38d62e10a8aae27e6624c29e94dc0.dll
Size

1.2MB
MD5

0fa38d62e10a8aae27e6624c29e94dc0
SHA1

38eacb884c084f9e455e6e32002661a95bb7e4f5
SHA256

1cdad75e7830e4ae946bb26c15be354676820710c2471d9ea6d24926fc0df86f
SHA512

bb283a71face353a3cec670442ddef2b8eab5fcfe1d0893c7ed195880356f4181f1b56854a54e95174b518db7c72fa9e094954e81fa10149c6cfb3424b650419

Score

10^/10

qakbot aa 1649273252 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.573

Botnet

Campaign

1649273252

47.23.89.62:993

187.207.48.194:61202

45.63.1.12:995

140.82.63.183:995

45.76.167.26:995

140.82.63.183:443

144.202.2.175:995

144.202.3.39:443

149.28.238.199:443

144.202.3.39:995

45.63.1.12:443

149.28.238.199:995

45.76.167.26:443

144.202.2.175:443

100.1.108.246:443

32.221.224.140:995

24.55.67.176:443

31.35.28.29:443

70.51.134.168:2222

71.13.93.154:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
1060	regsvr32.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe
616	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1060	regsvr32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 1060	1920	regsvr32.exe	28
PID 1920 wrote to memory of 1060	1920	regsvr32.exe	28
PID 1920 wrote to memory of 1060	1920	regsvr32.exe	28
PID 1920 wrote to memory of 1060	1920	regsvr32.exe	28
PID 1920 wrote to memory of 1060	1920	regsvr32.exe	28
PID 1920 wrote to memory of 1060	1920	regsvr32.exe	28
PID 1920 wrote to memory of 1060	1920	regsvr32.exe	28
PID 1060 wrote to memory of 616	1060	regsvr32.exe	29
PID 1060 wrote to memory of 616	1060	regsvr32.exe	29
PID 1060 wrote to memory of 616	1060	regsvr32.exe	29
PID 1060 wrote to memory of 616	1060	regsvr32.exe	29
PID 1060 wrote to memory of 616	1060	regsvr32.exe	29
PID 1060 wrote to memory of 616	1060	regsvr32.exe	29

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0fa38d62e10a8aae27e6624c29e94dc0.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\0fa38d62e10a8aae27e6624c29e94dc0.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/616-63-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/616-67-0x00000000749A1000-0x00000000749A3000-memory.dmp

Filesize
8KB

Download
memory/616-68-0x0000000000140000-0x00000000001CF000-memory.dmp

Filesize
572KB

Download
memory/1060-56-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1060-57-0x0000000010000000-0x000000001008F000-memory.dmp

Filesize
572KB

Download
memory/1920-54-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

Filesize
8KB

Download