qakbot | 4367ef10c26ce4b66be5a31f39529d7eb0a167da0321be894e43d4ed577385cf

Analysis

max time kernel
72s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2022, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

breezily/torpors.dll
Size

849KB
MD5

e22a4ef15b7c6c9eb884e445cefa2ef9
SHA1

b9da48940ae7e41de7bc6c0909ab53465d05e3c7
SHA256

5e5c55c133d644de044f5bcb782b618fd188a1c6ca707298815ab23295fb43c1
SHA512

3cc653b343d7f972d823e42bda4150c0747f81617b4f795e2724dfa4f0f0f10756fc068feaeedeb69ef7b4bdcd931908c5cfb0f1e8a170925915a771ff1738f8
SSDEEP

12288:VByskGoWHwa0nZXKlhb/H9TT+iTojfQCA3kptT68JtQrB5UT+QD1lNMABa:SnEjYNAeh4X668JA5w9Mqa

Score

10^/10

qakbot bb 1663698873 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.895

Botnet

Campaign

1663698873

173.218.180.91:443

134.35.13.43:443

197.94.84.128:443

70.51.132.197:2222

181.118.183.123:443

189.19.189.222:32101

41.111.1.60:995

70.49.33.200:2222

99.232.140.205:2222

139.228.33.176:2222

193.3.19.37:443

41.99.57.155:443

177.255.14.99:995

31.54.39.153:2078

191.97.234.238:995

105.159.30.48:443

217.165.146.41:993

119.82.111.158:443

66.181.164.43:443

88.245.168.200:2222

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2524	528	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
528	rundll32.exe
528	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 528	1548	rundll32.exe	80
PID 1548 wrote to memory of 528	1548	rundll32.exe	80
PID 1548 wrote to memory of 528	1548	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\breezily\torpors.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\breezily\torpors.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 668
    3⤵
    - Program crash
    PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 528 -ip 528
1⤵
PID:4204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/528-136-0x00000000033A0000-0x00000000033C2000-memory.dmp

Filesize
136KB

Download
memory/528-137-0x0000000003330000-0x0000000003371000-memory.dmp

Filesize
260KB

Download
memory/528-138-0x00000000033A0000-0x00000000033C2000-memory.dmp

Filesize
136KB

Download