qakbot | d96d02243cad3bfd80eda30b240391d941969aa59c770507e16904ba10e6881e

Analysis

max time kernel
149s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-09-2022 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unbelt/hotheaded.dll
Size

849KB
MD5

747a50a101b528a155c8095f1aef0230
SHA1

7a8c734481c95117009c57c8c81e077a2a5c5d96
SHA256

01fd6e0c8393a5f4112ea19a26bedffb31d6a01f4d3fe5721ca20f479766208f
SHA512

d5da3700be5c84bcb3bd3700f48d021c4fae0b0c64e8cc8fdf06d8094a4d3a497acf2fafcc05b0f6dbfa2e3e7be6d0b62c08f0328808837791ec586b7a690582
SSDEEP

12288:VByskGoWHwa0nZXKlhb/H9TT+iTojfQCA3kptT68JtQzB5UT+QD1lNMAFa:SnEjYNAeh4X668Jc5w9M+a

Score

10^/10

qakbot bb 1663774884 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.895

Botnet

Campaign

1663774884

70.49.33.200:2222

181.118.183.123:443

99.232.140.205:2222

31.54.39.153:2078

173.218.180.91:443

193.3.19.37:443

134.35.8.88:443

41.97.152.42:443

70.51.132.197:2222

41.111.74.35:995

189.19.189.222:32101

105.156.139.150:443

217.165.68.59:993

119.82.111.158:443

111.125.157.230:443

125.25.129.70:443

197.94.84.128:443

177.255.14.99:995

187.205.222.100:443

190.44.40.48:995

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
1640	rundll32.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe
968	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1640 rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 832 wrote to memory of 1640	832	rundll32.exe	rundll32.exe
PID 832 wrote to memory of 1640	832	rundll32.exe	rundll32.exe
PID 832 wrote to memory of 1640	832	rundll32.exe	rundll32.exe
PID 832 wrote to memory of 1640	832	rundll32.exe	rundll32.exe
PID 832 wrote to memory of 1640	832	rundll32.exe	rundll32.exe
PID 832 wrote to memory of 1640	832	rundll32.exe	rundll32.exe
PID 832 wrote to memory of 1640	832	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 968	1640	rundll32.exe	wermgr.exe
PID 1640 wrote to memory of 968	1640	rundll32.exe	wermgr.exe
PID 1640 wrote to memory of 968	1640	rundll32.exe	wermgr.exe
PID 1640 wrote to memory of 968	1640	rundll32.exe	wermgr.exe
PID 1640 wrote to memory of 968	1640	rundll32.exe	wermgr.exe
PID 1640 wrote to memory of 968	1640	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\unbelt\hotheaded.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\unbelt\hotheaded.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/968-62-0x0000000000000000-mapping.dmp

Download
memory/968-65-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/968-66-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1640-54-0x0000000000000000-mapping.dmp

Download
memory/1640-55-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1640-56-0x0000000000790000-0x000000000086A000-memory.dmp

Filesize
872KB

Download
memory/1640-57-0x0000000000870000-0x0000000000892000-memory.dmp

Filesize
136KB

Download
memory/1640-59-0x0000000000870000-0x0000000000892000-memory.dmp

Filesize
136KB

Download
memory/1640-58-0x0000000000870000-0x0000000000892000-memory.dmp

Filesize
136KB

Download
memory/1640-60-0x00000000003C0000-0x0000000000401000-memory.dmp

Filesize
260KB

Download
memory/1640-61-0x0000000000870000-0x0000000000892000-memory.dmp

Filesize
136KB

Download
memory/1640-64-0x0000000000870000-0x0000000000892000-memory.dmp

Filesize
136KB

Download