qakbot | a5f9efbd8eb8dbadaead5328b9e1f3ace32e1b92f2772048cac6d455b8810d4c

Analysis

max time kernel
31s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
15-06-2022 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample_packed.exe
Size

325KB
MD5

e1205ef15da2dbecb57b40ce43abe0f8
SHA1

8525f7a7218923302f97f4eb3865a1e20c271521
SHA256

a5f9efbd8eb8dbadaead5328b9e1f3ace32e1b92f2772048cac6d455b8810d4c
SHA512

d963263077611a27a663a97853cba3bb1031f4ba051129f08b2bb702b1a4e7b5e9e701cf08032b0c5d4fe4247bc18978b159e8d4900d3f3c0f392eb80d4551eb

Score

10^/10

qakbot spx133 1591267427 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.142

Botnet

spx133

Campaign

1591267427

49.144.84.21:443

189.159.133.162:995

173.245.152.231:443

77.237.181.212:995

207.255.161.8:2078

76.187.8.160:443

207.255.161.8:2087

98.219.77.197:443

66.222.88.126:995

207.255.161.8:32102

108.58.9.238:995

47.152.210.233:443

1.40.42.4:443

188.27.71.163:443

82.127.193.151:2222

104.50.141.139:995

67.83.54.76:2222

86.126.97.183:2222

73.94.229.115:443

47.35.182.97:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4856 4196 WerFault.exe sample_packed.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

sample_packed.exesample_packed.exe

pid process

4284 sample_packed.exe
4284 sample_packed.exe
4196 sample_packed.exe
4196 sample_packed.exe

pid	pid_target	process	target process
4856	4196	WerFault.exe	sample_packed.exe

pid	process
4284	sample_packed.exe
4284	sample_packed.exe
4196	sample_packed.exe
4196	sample_packed.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

sample_packed.exe

description	pid	process	target process
PID 4284 wrote to memory of 4196	4284	sample_packed.exe	sample_packed.exe
PID 4284 wrote to memory of 4196	4284	sample_packed.exe	sample_packed.exe
PID 4284 wrote to memory of 4196	4284	sample_packed.exe	sample_packed.exe

C:\Users\Admin\AppData\Local\Temp\sample_packed.exe
"C:\Users\Admin\AppData\Local\Temp\sample_packed.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284

C:\Users\Admin\AppData\Local\Temp\sample_packed.exe
C:\Users\Admin\AppData\Local\Temp\sample_packed.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 624
3⤵
- Program crash
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4196 -ip 4196
1⤵
PID:2472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4196-133-0x0000000000000000-mapping.dmp

Download
memory/4196-134-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/4196-136-0x00000000021B0000-0x00000000021EA000-memory.dmp

Filesize
232KB

Download
memory/4196-137-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/4196-138-0x00000000021B0000-0x00000000021EA000-memory.dmp

Filesize
232KB

Download
memory/4284-130-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/4284-131-0x00000000022B0000-0x00000000022E7000-memory.dmp

Filesize
220KB

Download
memory/4284-132-0x0000000002330000-0x000000000236A000-memory.dmp

Filesize
232KB

Download
memory/4284-135-0x0000000002330000-0x000000000236A000-memory.dmp

Filesize
232KB

Download