qakbot | 63ade90920f3c771336089bd7fe255a76d81781c761347e8016d81eadd5ae687

Analysis

max time kernel
149s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-09-2022 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

banners/castilian.dll
Size

1.1MB
MD5

e17ff4c8e0da566b6fbe6ce54101eee7
SHA1

ed92354f1a9500c9dc07dfe77e23d3193e905559
SHA256

0b353412e79686c5185dfdf185747e856f379c863ff41d82ce0ef4b69b31b747
SHA512

70b9b4f07b35cf617da318e79999d3593355c126d10ab01a30827cd0daaa0d0fe54bbc9ed8fce80372803573ad2f30ea30e177dbf9ca0eddcf4cafb87e081f30
SSDEEP

24576:wVeK7bHY/DS6wku4EmQKyMeRP7IYqsS/HdcoO9u+5w9M4a:wZjMpn6oO

Score

10^/10

qakbot bb 1664184863 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.895

Botnet

Campaign

1664184863

197.204.227.155:443

123.23.64.230:443

173.218.180.91:443

111.125.157.230:443

70.49.33.200:2222

149.28.38.16:995

86.132.13.105:2078

149.28.38.16:443

45.77.159.252:995

45.77.159.252:443

149.28.63.197:995

144.202.15.58:443

45.63.10.144:443

45.63.10.144:995

149.28.63.197:443

144.202.15.58:995

39.121.226.109:443

177.255.14.99:995

134.35.10.30:443

99.232.140.205:2222

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
1172	rundll32.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe
1956	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1172 rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1824 wrote to memory of 1172	1824	rundll32.exe	rundll32.exe
PID 1824 wrote to memory of 1172	1824	rundll32.exe	rundll32.exe
PID 1824 wrote to memory of 1172	1824	rundll32.exe	rundll32.exe
PID 1824 wrote to memory of 1172	1824	rundll32.exe	rundll32.exe
PID 1824 wrote to memory of 1172	1824	rundll32.exe	rundll32.exe
PID 1824 wrote to memory of 1172	1824	rundll32.exe	rundll32.exe
PID 1824 wrote to memory of 1172	1824	rundll32.exe	rundll32.exe
PID 1172 wrote to memory of 1956	1172	rundll32.exe	wermgr.exe
PID 1172 wrote to memory of 1956	1172	rundll32.exe	wermgr.exe
PID 1172 wrote to memory of 1956	1172	rundll32.exe	wermgr.exe
PID 1172 wrote to memory of 1956	1172	rundll32.exe	wermgr.exe
PID 1172 wrote to memory of 1956	1172	rundll32.exe	wermgr.exe
PID 1172 wrote to memory of 1956	1172	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\banners\castilian.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\banners\castilian.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1956

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-54-0x0000000000000000-mapping.dmp

Download
memory/1172-55-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1172-56-0x00000000001E0000-0x00000000002F8000-memory.dmp

Filesize
1.1MB

Download
memory/1172-57-0x0000000000E30000-0x0000000000E52000-memory.dmp

Filesize
136KB

Download
memory/1172-59-0x0000000000E30000-0x0000000000E52000-memory.dmp

Filesize
136KB

Download
memory/1172-58-0x0000000000E30000-0x0000000000E52000-memory.dmp

Filesize
136KB

Download
memory/1172-60-0x0000000000AE0000-0x0000000000B21000-memory.dmp

Filesize
260KB

Download
memory/1172-61-0x0000000000E30000-0x0000000000E52000-memory.dmp

Filesize
136KB

Download
memory/1172-64-0x0000000000E30000-0x0000000000E52000-memory.dmp

Filesize
136KB

Download
memory/1956-62-0x0000000000000000-mapping.dmp

Download
memory/1956-65-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1956-66-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download