qakbot | b9dd2d79e9b78f0d3f439c302f19b0bbec463f135701ab2ea99c27f48fa2eb1a

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-09-2022 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

synapse.dll
Size

693KB
MD5

c05798268fcde7fbda9305a54389bb79
SHA1

72b49520e928a4d4c63b99d8bc68a45abc41cc88
SHA256

b9dd2d79e9b78f0d3f439c302f19b0bbec463f135701ab2ea99c27f48fa2eb1a
SHA512

8937282bbf257f0d2f2ab86ba4909b3ee8f69d2141b8e419cb245019a0dcd5964c38ab9bc3ada8ef75cbdee02ae05a0f69196d4fb6c4c27351b2e36f36f592e1
SSDEEP

12288:/ieL1vc1PdFjpmw5qS6xnGWvE/NIg5UT+QD1lNMAxH:K81IFnqnvE/5w9MW

Score

10^/10

qakbot bb 1664358901 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.895

Botnet

Campaign

1664358901

179.111.23.186:32101

179.251.119.206:995

84.3.85.30:443

39.44.5.104:995

197.41.235.69:995

193.3.19.137:443

186.81.122.168:443

103.173.121.17:443

41.111.118.56:443

102.189.184.12:995

156.199.90.139:443

14.168.180.223:443

41.140.98.37:995

156.205.3.210:993

139.228.33.176:2222

134.35.12.0:443

49.205.197.13:443

131.100.40.13:995

217.165.146.158:993

73.252.27.208:995

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
992	rundll32.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe
1176	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
992	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 992	240	rundll32.exe	28
PID 240 wrote to memory of 992	240	rundll32.exe	28
PID 240 wrote to memory of 992	240	rundll32.exe	28
PID 240 wrote to memory of 992	240	rundll32.exe	28
PID 240 wrote to memory of 992	240	rundll32.exe	28
PID 240 wrote to memory of 992	240	rundll32.exe	28
PID 240 wrote to memory of 992	240	rundll32.exe	28
PID 992 wrote to memory of 1176	992	rundll32.exe	29
PID 992 wrote to memory of 1176	992	rundll32.exe	29
PID 992 wrote to memory of 1176	992	rundll32.exe	29
PID 992 wrote to memory of 1176	992	rundll32.exe	29
PID 992 wrote to memory of 1176	992	rundll32.exe	29
PID 992 wrote to memory of 1176	992	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\synapse.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:240
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\synapse.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/992-54-0x0000000000000000-mapping.dmp

Download
memory/992-55-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/992-56-0x0000000000220000-0x00000000002D2000-memory.dmp

Filesize
712KB

Download
memory/992-57-0x0000000000650000-0x0000000000672000-memory.dmp

Filesize
136KB

Download
memory/992-59-0x0000000000650000-0x0000000000672000-memory.dmp

Filesize
136KB

Download
memory/992-58-0x0000000000650000-0x0000000000672000-memory.dmp

Filesize
136KB

Download
memory/992-60-0x0000000000600000-0x0000000000641000-memory.dmp

Filesize
260KB

Download
memory/992-61-0x0000000000650000-0x0000000000672000-memory.dmp

Filesize
136KB

Download
memory/992-64-0x0000000000650000-0x0000000000672000-memory.dmp

Filesize
136KB

Download
memory/1176-62-0x0000000000000000-mapping.dmp

Download
memory/1176-65-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1176-66-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download