qakbot | 01fd6e0c8393a5f4112ea19a26bedffb31d6a01f4d3fe5721ca20f479766208f

Analysis

max time kernel
149s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22/09/2022, 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

guinea.db.dll
Size

849KB
MD5

747a50a101b528a155c8095f1aef0230
SHA1

7a8c734481c95117009c57c8c81e077a2a5c5d96
SHA256

01fd6e0c8393a5f4112ea19a26bedffb31d6a01f4d3fe5721ca20f479766208f
SHA512

d5da3700be5c84bcb3bd3700f48d021c4fae0b0c64e8cc8fdf06d8094a4d3a497acf2fafcc05b0f6dbfa2e3e7be6d0b62c08f0328808837791ec586b7a690582
SSDEEP

12288:VByskGoWHwa0nZXKlhb/H9TT+iTojfQCA3kptT68JtQzB5UT+QD1lNMAFa:SnEjYNAeh4X668Jc5w9M+a

Score

10^/10

qakbot bb 1663774884 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.895

Botnet

Campaign

1663774884

70.49.33.200:2222

181.118.183.123:443

99.232.140.205:2222

31.54.39.153:2078

173.218.180.91:443

193.3.19.37:443

134.35.8.88:443

41.97.152.42:443

70.51.132.197:2222

41.111.74.35:995

189.19.189.222:32101

105.156.139.150:443

217.165.68.59:993

119.82.111.158:443

111.125.157.230:443

125.25.129.70:443

197.94.84.128:443

177.255.14.99:995

187.205.222.100:443

190.44.40.48:995

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1172	rundll32.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1172	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 1172	1824	rundll32.exe	27
PID 1824 wrote to memory of 1172	1824	rundll32.exe	27
PID 1824 wrote to memory of 1172	1824	rundll32.exe	27
PID 1824 wrote to memory of 1172	1824	rundll32.exe	27
PID 1824 wrote to memory of 1172	1824	rundll32.exe	27
PID 1824 wrote to memory of 1172	1824	rundll32.exe	27
PID 1824 wrote to memory of 1172	1824	rundll32.exe	27
PID 1172 wrote to memory of 1956	1172	rundll32.exe	28
PID 1172 wrote to memory of 1956	1172	rundll32.exe	28
PID 1172 wrote to memory of 1956	1172	rundll32.exe	28
PID 1172 wrote to memory of 1956	1172	rundll32.exe	28
PID 1172 wrote to memory of 1956	1172	rundll32.exe	28
PID 1172 wrote to memory of 1956	1172	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\guinea.db.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\guinea.db.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-55-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1172-56-0x0000000001CC0000-0x0000000001D9A000-memory.dmp

Filesize
872KB

Download
memory/1172-57-0x0000000000460000-0x0000000000482000-memory.dmp

Filesize
136KB

Download
memory/1172-59-0x0000000000460000-0x0000000000482000-memory.dmp

Filesize
136KB

Download
memory/1172-58-0x0000000000460000-0x0000000000482000-memory.dmp

Filesize
136KB

Download
memory/1172-60-0x00000000003F0000-0x0000000000431000-memory.dmp

Filesize
260KB

Download
memory/1172-61-0x0000000000460000-0x0000000000482000-memory.dmp

Filesize
136KB

Download
memory/1172-64-0x0000000000460000-0x0000000000482000-memory.dmp

Filesize
136KB

Download
memory/1956-65-0x00000000000E0000-0x0000000000102000-memory.dmp

Filesize
136KB

Download
memory/1956-66-0x00000000000E0000-0x0000000000102000-memory.dmp

Filesize
136KB

Download