qakbot | 627967aa04631496b1bd5e502bd0c461e5991ff65eaa0f1714b8053351157e87

Resubmissions

11-09-2022 11:30

220911-nmg3jsbeb9 10

11-09-2022 10:49

220911-mwvvbsbdh4 10

08-09-2022 20:23

220908-y54z5sfha5 10

Analysis

max time kernel
141s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2022 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

627967aa04631496b1bd5e502bd0c461e5991ff65eaa0f1714b8053351157e87.dll
Size

525KB
MD5

1d1ab6ac00c3ed27bf2a4b1f4a0007a1
SHA1

6774518bb3a0e81aea7df6fc57d90187e214fc3d
SHA256

627967aa04631496b1bd5e502bd0c461e5991ff65eaa0f1714b8053351157e87
SHA512

153bf3adbf03aea21b3f2664cad36747f046002b635830478145016b0d148f380250679949638f491073f997ef89b776480d021f1ae1799308c16954a5948d58
SSDEEP

12288:yWghjfsaHKisYUVJAEvyxN7UDIC6hD3jkYm:BijHHKH53vU7UsNxwn

Score

10^/10

qakbot azd 1661969003 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.780

Botnet

azd

Campaign

1661969003

72.252.157.93:990

72.252.157.93:995

187.172.230.151:443

46.107.48.202:443

70.46.220.114:443

173.189.167.21:995

93.48.80.198:995

99.232.140.205:2222

89.211.179.14:2222

37.210.148.30:995

182.191.92.203:995

41.228.22.180:443

70.51.153.182:2222

47.180.172.159:443

47.23.89.61:993

173.21.10.71:2222

208.107.221.224:443

76.25.142.196:443

63.143.92.99:995

24.158.23.166:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4248 1684 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1684 rundll32.exe
1684 rundll32.exe

pid	pid_target	process	target process
4248	1684	WerFault.exe	rundll32.exe

pid	process
1684	rundll32.exe
1684	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1188 wrote to memory of 1684	1188	rundll32.exe	rundll32.exe
PID 1188 wrote to memory of 1684	1188	rundll32.exe	rundll32.exe
PID 1188 wrote to memory of 1684	1188	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\627967aa04631496b1bd5e502bd0c461e5991ff65eaa0f1714b8053351157e87.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\627967aa04631496b1bd5e502bd0c461e5991ff65eaa0f1714b8053351157e87.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 700
3⤵
- Program crash
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1684 -ip 1684
1⤵
PID:4992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-132-0x0000000000000000-mapping.dmp

Download
memory/1684-133-0x0000000000AD0000-0x0000000000B56000-memory.dmp

Filesize
536KB

Download
memory/1684-135-0x0000000004580000-0x00000000045A2000-memory.dmp

Filesize
136KB

Download
memory/1684-134-0x0000000004550000-0x0000000004573000-memory.dmp

Filesize
140KB

Download