qakbot | f56d25cf9f20f2040b2ec14f769f36aa14819f56f6b254c0831c9b2a024b8c8d

Analysis

max time kernel
152s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

defrosts.dat.dll
Size

650KB
MD5

3d348e2c37855dd4a1b94eff371ab3f1
SHA1

3e66fc73001380b170e658561f19441262011af6
SHA256

f56d25cf9f20f2040b2ec14f769f36aa14819f56f6b254c0831c9b2a024b8c8d
SHA512

8cbade23ddcbfcad5ea242e4926e194daad958b8ff61069220165a0fe4b660fc8c19ce56f39ac6bfd4defeb7525b2268665a01b5ebb8aaa2e5c31ee532b50052
SSDEEP

12288:e04qh9jnmGxBGex5ikJdspJRtsdi21LcVUK:ayjn5PyVWdR1L/K

Score

10^/10

qakbot banker stealer trojan

Malware Config

Extracted

Family

qakbot

70.238.223.142:65113

108.212.133.125:43749

91.204.181.165:28980

227.138.255.213:57594

252.124.102.160:59802

84.56.235.30:702

40.12.38.164:4225

163.55.16.87:6230

235.167.221.218:44172

113.34.86.36:44766

3.198.145.208:34010

194.217.45.198:36220

198.194.188.181:22851

149.133.92.184:61270

135.120.183.211:3151

45.206.222.245:43045

246.179.112.12:64397

88.106.24.76:30867

140.20.244.190:8098

218.91.78.249:2943

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
948	regsvr32.exe
896	wermgr.exe
896	wermgr.exe
896	wermgr.exe
896	wermgr.exe
896	wermgr.exe
896	wermgr.exe
896	wermgr.exe
896	wermgr.exe
896	wermgr.exe
896	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
948	regsvr32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 948	1756	regsvr32.exe	27
PID 1756 wrote to memory of 948	1756	regsvr32.exe	27
PID 1756 wrote to memory of 948	1756	regsvr32.exe	27
PID 1756 wrote to memory of 948	1756	regsvr32.exe	27
PID 1756 wrote to memory of 948	1756	regsvr32.exe	27
PID 1756 wrote to memory of 948	1756	regsvr32.exe	27
PID 1756 wrote to memory of 948	1756	regsvr32.exe	27
PID 948 wrote to memory of 896	948	regsvr32.exe	28
PID 948 wrote to memory of 896	948	regsvr32.exe	28
PID 948 wrote to memory of 896	948	regsvr32.exe	28
PID 948 wrote to memory of 896	948	regsvr32.exe	28
PID 948 wrote to memory of 896	948	regsvr32.exe	28
PID 948 wrote to memory of 896	948	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\defrosts.dat.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\defrosts.dat.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/896-67-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/896-66-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/948-60-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/948-58-0x0000000074DE0000-0x0000000074E87000-memory.dmp

Filesize
668KB

Download
memory/948-59-0x00000000001A0000-0x00000000001E2000-memory.dmp

Filesize
264KB

Download
memory/948-61-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/948-57-0x0000000074DE0000-0x0000000074E87000-memory.dmp

Filesize
668KB

Download
memory/948-64-0x0000000074DE0000-0x0000000074E87000-memory.dmp

Filesize
668KB

Download
memory/948-65-0x0000000000230000-0x0000000000252000-memory.dmp

Filesize
136KB

Download
memory/948-56-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1756-54-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

Filesize
8KB

Download