qakbot | af68690b3aee630f2e758a88fee6cfc27dfd1663635aaa5c23652a41576a993e

Analysis

max time kernel
305s
max time network
245s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

assaulting/binders.dll
Size

379KB
MD5

7512d5f067159b8656db56e7ca0676ac
SHA1

751ce3feb83e8201109a3db61049a4fd7ac07f62
SHA256

b581c1df89df87359786a32ac8f4fcdc804b39447ffdc37d865082d761bcd1e8
SHA512

acc3072da39d527a102108a9e0c18ab030836b38095bd13ca6e9a18addba7cd61500d568ab920023d43abdd3eba599bf62151eaea7f2add2a78c98a638bb10ee
SSDEEP

6144:XiNznfIiXRVvxXR+09XLbbZR6/AOfJClL+VNWXpImIQ:XilfZV+0tLbsj6L+V4

Score

10^/10

qakbot banker stealer trojan

Malware Config

Extracted

Family

qakbot

75.116.87.44:14933

64.55.103.194:9151

80.214.68.88:40730

97.184.129.40:2118

216.44.143.70:26851

239.39.127.10:38876

57.33.10.57:17737

201.128.252.151:58865

211.76.239.250:34506

124.58.65.86:13247

41.8.154.58:7614

6.55.240.195:27003

139.242.121.12:23370

8.81.30.103:64297

168.13.24.67:37382

17.219.125.20:59669

136.66.66.194:40287

63.172.177.141:57252

195.44.25.26:29277

67.212.106.154:59890

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3068	regsvr32.exe
3068	regsvr32.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe
4912	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3068	regsvr32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 3068	2040	regsvr32.exe	81
PID 2040 wrote to memory of 3068	2040	regsvr32.exe	81
PID 2040 wrote to memory of 3068	2040	regsvr32.exe	81
PID 3068 wrote to memory of 4912	3068	regsvr32.exe	82
PID 3068 wrote to memory of 4912	3068	regsvr32.exe	82
PID 3068 wrote to memory of 4912	3068	regsvr32.exe	82
PID 3068 wrote to memory of 4912	3068	regsvr32.exe	82
PID 3068 wrote to memory of 4912	3068	regsvr32.exe	82

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\assaulting\binders.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\assaulting\binders.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3068-133-0x0000000000860000-0x00000000008A2000-memory.dmp

Filesize
264KB

Download
memory/3068-134-0x00000000008B0000-0x00000000008D2000-memory.dmp

Filesize
136KB

Download
memory/3068-135-0x00000000008B0000-0x00000000008D2000-memory.dmp

Filesize
136KB

Download
memory/3068-137-0x00000000008B0000-0x00000000008D2000-memory.dmp

Filesize
136KB

Download
memory/4912-138-0x0000000000D50000-0x0000000000D72000-memory.dmp

Filesize
136KB

Download
memory/4912-139-0x0000000000D50000-0x0000000000D72000-memory.dmp

Filesize
136KB

Download