qakbot | e6eab533d9b34806636f700c12966f842fa081c9ca8b3765720e9d424c773e85

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-10-2022 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7965/usurpers.dll
Size

743KB
MD5

0d34c7cc649e41ed139210cff4f0f6b2
SHA1

2aa5538a31b7367ced7ce55dbf68c93490f7eff9
SHA256

7d9d70bdc53de103086dfc901004cfa2dc93fb25fb5c40109b63ba071107e40a
SHA512

8ac448a6bdf86ad781aa386895df83cb9d48536bf00140ac0c05ea55df0f783815cc8600a5e76cd38d84f980caf5ec758b46d489370d0a49dce9c0a638ebafbb
SSDEEP

12288:zxnt9hlMvNICAY0KEkAOl7G79zEXjGOyw3MW:tt9+JFEkAmG0j26M

Score

10^/10

qakbot banker stealer trojan

Malware Config

Extracted

Family

qakbot

156.36.22.250:12263

73.225.210.175:40922

19.138.81.187:38748

191.101.43.136:10968

145.20.244.169:39814

74.30.254.35:15530

138.94.26.23:49965

218.175.98.133:15428

181.245.40.43:1982

24.10.174.212:30807

253.219.195.173:1546

51.182.7.163:21304

191.68.117.56:28754

246.29.132.217:16625

149.181.112.217:33637

136.20.21.112:41199

80.65.15.199:35765

0.222.227.111:63041

209.240.1.52:53226

66.57.60.202:19263

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
1172	rundll32.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe
1408	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1172 rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1584 wrote to memory of 1172	1584	rundll32.exe	rundll32.exe
PID 1584 wrote to memory of 1172	1584	rundll32.exe	rundll32.exe
PID 1584 wrote to memory of 1172	1584	rundll32.exe	rundll32.exe
PID 1584 wrote to memory of 1172	1584	rundll32.exe	rundll32.exe
PID 1584 wrote to memory of 1172	1584	rundll32.exe	rundll32.exe
PID 1584 wrote to memory of 1172	1584	rundll32.exe	rundll32.exe
PID 1584 wrote to memory of 1172	1584	rundll32.exe	rundll32.exe
PID 1172 wrote to memory of 1408	1172	rundll32.exe	wermgr.exe
PID 1172 wrote to memory of 1408	1172	rundll32.exe	wermgr.exe
PID 1172 wrote to memory of 1408	1172	rundll32.exe	wermgr.exe
PID 1172 wrote to memory of 1408	1172	rundll32.exe	wermgr.exe
PID 1172 wrote to memory of 1408	1172	rundll32.exe	wermgr.exe
PID 1172 wrote to memory of 1408	1172	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7965\usurpers.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7965\usurpers.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-54-0x0000000000000000-mapping.dmp

Download
memory/1172-55-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1172-56-0x00000000007B0000-0x000000000086F000-memory.dmp

Filesize
764KB

Download
memory/1172-57-0x00000000002D0000-0x00000000002F2000-memory.dmp

Filesize
136KB

Download
memory/1172-58-0x00000000002D0000-0x00000000002F2000-memory.dmp

Filesize
136KB

Download
memory/1172-59-0x00000000002D0000-0x00000000002F2000-memory.dmp

Filesize
136KB

Download
memory/1172-60-0x0000000001F80000-0x0000000001FC1000-memory.dmp

Filesize
260KB

Download
memory/1172-61-0x00000000002D0000-0x00000000002F2000-memory.dmp

Filesize
136KB

Download
memory/1172-64-0x00000000002D0000-0x00000000002F2000-memory.dmp

Filesize
136KB

Download
memory/1408-62-0x0000000000000000-mapping.dmp

Download
memory/1408-65-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1408-66-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download