qakbot | 4eb7a871f9b479a9d719233dbd9f45c034e9fcf97cf70244f6d6eeaa48665a4d

Analysis

max time kernel
150s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
08/09/2022, 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

627967aa04631496b1bd5e502bd0c461e5991ff65eaa0f1714b8053351157e87.dll
Size

525KB
MD5

07c8c11cc4ef73de943134ab8e71850d
SHA1

6dffeac5550fd6b2af6738e6cda834767d41a2e5
SHA256

4eb7a871f9b479a9d719233dbd9f45c034e9fcf97cf70244f6d6eeaa48665a4d
SHA512

4d1f5d32c04ff8e4beb03cc8709ab5e073b4b18d21b6bbe59ab8198e92989d78a45e28234bc9c821455685bcdffc61732d2a00892b2bda396f194244fb68ebf2
SSDEEP

12288:sWghjfsaHKisYUVJAEvyxN7UDIC6hD3jkYm:jijHHKH53vU7UsNxwn

Score

10^/10

qakbot azd 1661969003 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.780

Botnet

azd

Campaign

1661969003

72.252.157.93:990

72.252.157.93:995

187.172.230.151:443

46.107.48.202:443

70.46.220.114:443

173.189.167.21:995

93.48.80.198:995

99.232.140.205:2222

89.211.179.14:2222

37.210.148.30:995

182.191.92.203:995

41.228.22.180:443

70.51.153.182:2222

47.180.172.159:443

47.23.89.61:993

173.21.10.71:2222

208.107.221.224:443

76.25.142.196:443

63.143.92.99:995

24.158.23.166:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1972	rundll32.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1972	rundll32.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1972	1880	rundll32.exe	27
PID 1880 wrote to memory of 1972	1880	rundll32.exe	27
PID 1880 wrote to memory of 1972	1880	rundll32.exe	27
PID 1880 wrote to memory of 1972	1880	rundll32.exe	27
PID 1880 wrote to memory of 1972	1880	rundll32.exe	27
PID 1880 wrote to memory of 1972	1880	rundll32.exe	27
PID 1880 wrote to memory of 1972	1880	rundll32.exe	27
PID 1972 wrote to memory of 460	1972	rundll32.exe	28
PID 1972 wrote to memory of 460	1972	rundll32.exe	28
PID 1972 wrote to memory of 460	1972	rundll32.exe	28
PID 1972 wrote to memory of 460	1972	rundll32.exe	28
PID 1972 wrote to memory of 460	1972	rundll32.exe	28
PID 1972 wrote to memory of 460	1972	rundll32.exe	28
PID 460 wrote to memory of 2012	460	explorer.exe	29
PID 460 wrote to memory of 2012	460	explorer.exe	29
PID 460 wrote to memory of 2012	460	explorer.exe	29
PID 460 wrote to memory of 2012	460	explorer.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\627967aa04631496b1bd5e502bd0c461e5991ff65eaa0f1714b8053351157e87.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\627967aa04631496b1bd5e502bd0c461e5991ff65eaa0f1714b8053351157e87.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:460
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 15:57 /tn fewbhnco /ET 16:08 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwANgAyADcAOQA2ADcAYQBhADAANAA2ADMAMQA0ADkANgBiADEAYgBkADUAZQA1ADAAMgBiAGQAMABjADQANgAxAGUANQA5ADkAMQBmAGYANgA1AGUAYQBhADAAZgAxADcAMQA0AGIAOAAwADUAMwAzADUAMQAxADUANwBlADgANwAuAGQAbABsACIA" /SC ONCE
      4⤵
      Creates scheduled task(s)
      PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/460-61-0x0000000074851000-0x0000000074853000-memory.dmp

Filesize
8KB

Download
memory/460-63-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/460-65-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1972-55-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1972-56-0x0000000000740000-0x00000000007C6000-memory.dmp

Filesize
536KB

Download
memory/1972-57-0x00000000002F0000-0x0000000000313000-memory.dmp

Filesize
140KB

Download
memory/1972-58-0x0000000000840000-0x0000000000862000-memory.dmp

Filesize
136KB

Download
memory/1972-62-0x0000000000840000-0x0000000000862000-memory.dmp

Filesize
136KB

Download