qakbot | d2b4f004d88fa1aa8e075ceeb4dc785fcbfb16d5297c7a2e5d36d653fe77d853

Resubmissions

20-03-2024 20:50

240320-zmt8naag35 10

13-10-2022 11:50

221013-nzp9pache4 10

01-10-2022 01:58

221001-cd4peagcfn 10

Analysis

max time kernel
150s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-10-2022 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

assaulting/milt.dll
Size

448KB
MD5

24c89f5383c6dca654f27383b1ec00a3
SHA1

7766a0a045e56fe16fb5b9e0c5d7c1d047eb36c6
SHA256

bb2540e27de2b8d3d154fee3efa8e2cbefdf25e5a1d76b4cedf49ac3917a1471
SHA512

58bffa71d6be31e136c220828ba0565a7e9231e363804beefc66f47653cf80af94bcc5c221444e6f7f1707dbe915279d67c77592ccedc2d5f09b29bc62f39eb3
SSDEEP

6144:NWlZhgoMdtBYTNSlWBsAOvbd62IYQ8jjHH62uzdMzD9699o9:cl3goMdrbdJ6wQ8faVO099o

Score

10^/10

qakbot banker stealer trojan

Malware Config

Extracted

Family

qakbot

75.116.87.44:14933

64.55.103.194:9151

80.214.68.88:40730

97.184.129.40:2118

216.44.143.70:26851

239.39.127.10:38876

57.33.10.57:17737

201.128.252.151:58865

211.76.239.250:34506

124.58.65.86:13247

41.8.154.58:7614

6.55.240.195:27003

139.242.121.12:23370

8.81.30.103:64297

168.13.24.67:37382

17.219.125.20:59669

136.66.66.194:40287

63.172.177.141:57252

195.44.25.26:29277

67.212.106.154:59890

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

regsvr32.exewermgr.exe

pid	process
1880	regsvr32.exe
2012	wermgr.exe
2012	wermgr.exe
2012	wermgr.exe
2012	wermgr.exe
2012	wermgr.exe
2012	wermgr.exe
2012	wermgr.exe
2012	wermgr.exe
2012	wermgr.exe
2012	wermgr.exe
2012	wermgr.exe
2012	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

1880 regsvr32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1904 wrote to memory of 1880	1904	regsvr32.exe	regsvr32.exe
PID 1904 wrote to memory of 1880	1904	regsvr32.exe	regsvr32.exe
PID 1904 wrote to memory of 1880	1904	regsvr32.exe	regsvr32.exe
PID 1904 wrote to memory of 1880	1904	regsvr32.exe	regsvr32.exe
PID 1904 wrote to memory of 1880	1904	regsvr32.exe	regsvr32.exe
PID 1904 wrote to memory of 1880	1904	regsvr32.exe	regsvr32.exe
PID 1904 wrote to memory of 1880	1904	regsvr32.exe	regsvr32.exe
PID 1880 wrote to memory of 2012	1880	regsvr32.exe	wermgr.exe
PID 1880 wrote to memory of 2012	1880	regsvr32.exe	wermgr.exe
PID 1880 wrote to memory of 2012	1880	regsvr32.exe	wermgr.exe
PID 1880 wrote to memory of 2012	1880	regsvr32.exe	wermgr.exe
PID 1880 wrote to memory of 2012	1880	regsvr32.exe	wermgr.exe
PID 1880 wrote to memory of 2012	1880	regsvr32.exe	wermgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\assaulting\milt.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\assaulting\milt.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1880-55-0x0000000000000000-mapping.dmp

Download
memory/1880-56-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/1880-57-0x0000000000960000-0x00000000009E0000-memory.dmp

Filesize
512KB

Download
memory/1880-58-0x0000000000240000-0x0000000000262000-memory.dmp

Filesize
136KB

Download
memory/1880-61-0x0000000000240000-0x0000000000262000-memory.dmp

Filesize
136KB

Download
memory/1904-54-0x000007FEFC481000-0x000007FEFC483000-memory.dmp

Filesize
8KB

Download
memory/2012-59-0x0000000000000000-mapping.dmp

Download
memory/2012-62-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/2012-63-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download