qakbot | 15a8435db9724377f4d5babe3ffac26ad943787baf79487e67deeba5b4346147

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
29-07-2022 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bba04c832f3e278361c826c4fafc70ec98d016d8ed5de6bc90db87a773cb658b.dll
Size

979KB
MD5

a54c368c81e44e3e30d39d20735eb2ae
SHA1

5381365f8afa1c9dff0da4fdb19a9527b6bf8118
SHA256

bba04c832f3e278361c826c4fafc70ec98d016d8ed5de6bc90db87a773cb658b
SHA512

abed3a88c56293a6377a87038b3811a07948ddbfbda9c58f21b6fddf4e39b89a059c9d98f764f154df7eba0497ed55907f34fd266bc2917a2cb916e4e49d2cd2

Score

10^/10

qakbot aa 1654852856 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.688

Botnet

Campaign

1654852856

172.115.177.204:2222

78.177.60.224:443

75.99.168.194:61201

124.40.244.115:2222

32.221.224.140:995

31.35.28.29:443

186.90.153.162:2222

1.161.123.53:995

197.87.182.115:443

86.132.14.70:2078

197.94.94.206:443

74.14.5.179:2222

148.0.56.63:443

217.165.84.253:993

39.44.235.10:995

67.165.206.193:993

210.246.4.69:995

182.191.92.203:995

117.248.109.38:21

1.161.123.53:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3752 984 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

984 rundll32.exe
984 rundll32.exe

pid	pid_target	process	target process
3752	984	WerFault.exe	rundll32.exe

pid	process
984	rundll32.exe
984	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3288 wrote to memory of 984	3288	rundll32.exe	rundll32.exe
PID 3288 wrote to memory of 984	3288	rundll32.exe	rundll32.exe
PID 3288 wrote to memory of 984	3288	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bba04c832f3e278361c826c4fafc70ec98d016d8ed5de6bc90db87a773cb658b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bba04c832f3e278361c826c4fafc70ec98d016d8ed5de6bc90db87a773cb658b.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 736
3⤵
- Program crash
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 984 -ip 984
1⤵
PID:3756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/984-130-0x0000000000000000-mapping.dmp

Download
memory/984-131-0x0000000002840000-0x0000000002937000-memory.dmp

Filesize
988KB

Download
memory/984-132-0x0000000002EB0000-0x0000000002ED2000-memory.dmp

Filesize
136KB

Download
memory/984-133-0x0000000002E70000-0x0000000002EA2000-memory.dmp

Filesize
200KB

Download
memory/984-134-0x0000000002EB0000-0x0000000002ED2000-memory.dmp

Filesize
136KB

Download