qakbot | 1a7a641b9289ae0d1b6fe055f9a3b40c8b7f5c9b83dc317e86791ee3250da3ec

Analysis

max time kernel
106s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/09/2022, 19:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

plaid/handouts.dll
Size

336KB
MD5

d436df7179db1a851d7a74b68ae072b4
SHA1

f2bbce952c21e72c979cb9115a588a3dd22396cb
SHA256

e07f8ef4cdd69603a4ec2a21524b1236724cad1f3dd527ade09cbdb4b9cb74ef
SHA512

d71a94329b4250013bf9c5bf9e5373a220d9dc51a97e14ec947b242b048264b09aece6832239edd151d33bf698ebf84dae4c50dfb83af199b6dde0b20a9f893a
SSDEEP

6144:Ss07Ns6Fpqn3Kn/NjAOyme85N6w0ZmXp8jwkGU99WOUNeliVNYK:0Ns6LjjAw5cwimXujHxiVNYK

Score

10^/10

qakbot bb 1664437404 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.895

Botnet

Campaign

1664437404

113.180.55.111:443

58.186.75.42:443

105.184.56.118:995

196.206.133.114:995

80.253.189.55:443

193.3.19.137:443

41.104.80.233:443

49.205.197.13:443

186.81.122.168:443

216.238.83.82:443

216.238.83.82:995

39.44.5.104:995

196.207.146.151:443

216.238.108.61:995

139.84.167.18:995

139.84.167.18:443

216.238.108.61:443

149.28.38.16:995

134.35.12.30:443

131.100.40.13:995

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
896	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 896	1964	regsvr32.exe	28
PID 1964 wrote to memory of 896	1964	regsvr32.exe	28
PID 1964 wrote to memory of 896	1964	regsvr32.exe	28
PID 1964 wrote to memory of 896	1964	regsvr32.exe	28
PID 1964 wrote to memory of 896	1964	regsvr32.exe	28
PID 1964 wrote to memory of 896	1964	regsvr32.exe	28
PID 1964 wrote to memory of 896	1964	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\plaid\handouts.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\plaid\handouts.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/896-56-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/896-57-0x0000000000180000-0x0000000000200000-memory.dmp

Filesize
512KB

Download
memory/896-58-0x0000000000200000-0x0000000000222000-memory.dmp

Filesize
136KB

Download
memory/1964-54-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

Filesize
8KB

Download