qakbot | 42ad1e843f44a725a6666d3d27f10caaa2252a05e1bc0b9c3c315496728f9f25

Analysis

max time kernel
150s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/09/2022, 16:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MARGINALITY.dll
Size

703KB
MD5

069fbff5bbfa4dd3295442b26893c6bb
SHA1

1ef32f07ffb2f1cf5198203b7d263fd74d50939b
SHA256

42ad1e843f44a725a6666d3d27f10caaa2252a05e1bc0b9c3c315496728f9f25
SHA512

4c54c38d2f7a3fdcc154747d71db2a4871131e3a632eb5ede959f03370af9ba651825ed2a4318553ec0feeb82da1389cf15c4e74390d44edc72ddc01ea1eaa69
SSDEEP

12288:10cDgZApguXaZhjxA8DPG+WAHlKHnhMIEe5UT+QD1lNMABa:6w76Za8Gy8HnP5w9Mqa

Score

10^/10

qakbot bb 1663698873 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.895

Botnet

Campaign

1663698873

173.218.180.91:443

134.35.13.43:443

197.94.84.128:443

70.51.132.197:2222

181.118.183.123:443

189.19.189.222:32101

41.111.1.60:995

70.49.33.200:2222

99.232.140.205:2222

139.228.33.176:2222

193.3.19.37:443

41.99.57.155:443

177.255.14.99:995

31.54.39.153:2078

191.97.234.238:995

105.159.30.48:443

217.165.146.41:993

119.82.111.158:443

66.181.164.43:443

88.245.168.200:2222

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1536	rundll32.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe
1112	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1536	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1536	1504	rundll32.exe	26
PID 1504 wrote to memory of 1536	1504	rundll32.exe	26
PID 1504 wrote to memory of 1536	1504	rundll32.exe	26
PID 1504 wrote to memory of 1536	1504	rundll32.exe	26
PID 1504 wrote to memory of 1536	1504	rundll32.exe	26
PID 1504 wrote to memory of 1536	1504	rundll32.exe	26
PID 1504 wrote to memory of 1536	1504	rundll32.exe	26
PID 1536 wrote to memory of 1112	1536	rundll32.exe	27
PID 1536 wrote to memory of 1112	1536	rundll32.exe	27
PID 1536 wrote to memory of 1112	1536	rundll32.exe	27
PID 1536 wrote to memory of 1112	1536	rundll32.exe	27
PID 1536 wrote to memory of 1112	1536	rundll32.exe	27
PID 1536 wrote to memory of 1112	1536	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MARGINALITY.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\MARGINALITY.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-64-0x00000000000C0000-0x00000000000E2000-memory.dmp

Filesize
136KB

Download
memory/1112-65-0x00000000000C0000-0x00000000000E2000-memory.dmp

Filesize
136KB

Download
memory/1536-55-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1536-56-0x00000000003C0000-0x00000000003E2000-memory.dmp

Filesize
136KB

Download
memory/1536-58-0x00000000003C0000-0x00000000003E2000-memory.dmp

Filesize
136KB

Download
memory/1536-57-0x00000000003C0000-0x00000000003E2000-memory.dmp

Filesize
136KB

Download
memory/1536-59-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/1536-60-0x00000000003C0000-0x00000000003E2000-memory.dmp

Filesize
136KB

Download
memory/1536-63-0x00000000003C0000-0x00000000003E2000-memory.dmp

Filesize
136KB

Download