qakbot | c1efca753dedafb2fa206085cc45583e9af9e233a3248e958a5e1ece7982837f

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-10-2022 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6438/fearfully.dll
Size

386KB
MD5

b5cd890b8ba5f31c3f7e457f40f5d728
SHA1

18c143ba12246321416b77e67afac04825fca12f
SHA256

051eda78705b38dc1577ef8ea4e972990d32ca7b39b4981127b2e4221d110f2a
SHA512

47774e8bd59ccce5e9a1e4e52d0b19b0561ac06a800e06f1d0e8121d06de6cf74496a188ec8737b18456d57cbe1ac9f2571c63085754dccbe93cb23d56a4fe79
SSDEEP

6144:XtgTFlqteWTBa5WsoUReNsyLK9+8WqniKS9jyA9yjHHXsBcfmL/p+LIORL6qYFYM:d8z4TU5WsoURzN9ftniPHlQEFYM

Score

10^/10

qakbot banker stealer trojan

Malware Config

Extracted

Family

qakbot

78.94.148.92:1753

134.180.185.240:32987

201.136.101.182:38323

124.77.95.5:46163

196.90.29.190:30693

187.144.110.117:36330

10.44.33.140:65267

162.117.200.91:29984

159.254.223.192:31154

11.239.81.233:37

31.248.76.23:24072

224.77.182.18:55579

124.230.27.11:44408

205.255.39.94:54675

192.1.213.104:14212

145.3.120.239:20068

242.199.30.106:9157

243.240.195.106:42825

74.234.32.185:42698

102.51.5.67:47820

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exewermgr.exe

pid	process
1808	regsvr32.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe
956	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

1808 regsvr32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1960 wrote to memory of 1808	1960	regsvr32.exe	regsvr32.exe
PID 1960 wrote to memory of 1808	1960	regsvr32.exe	regsvr32.exe
PID 1960 wrote to memory of 1808	1960	regsvr32.exe	regsvr32.exe
PID 1960 wrote to memory of 1808	1960	regsvr32.exe	regsvr32.exe
PID 1960 wrote to memory of 1808	1960	regsvr32.exe	regsvr32.exe
PID 1960 wrote to memory of 1808	1960	regsvr32.exe	regsvr32.exe
PID 1960 wrote to memory of 1808	1960	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 956	1808	regsvr32.exe	wermgr.exe
PID 1808 wrote to memory of 956	1808	regsvr32.exe	wermgr.exe
PID 1808 wrote to memory of 956	1808	regsvr32.exe	wermgr.exe
PID 1808 wrote to memory of 956	1808	regsvr32.exe	wermgr.exe
PID 1808 wrote to memory of 956	1808	regsvr32.exe	wermgr.exe
PID 1808 wrote to memory of 956	1808	regsvr32.exe	wermgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6438\fearfully.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\6438\fearfully.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-58-0x0000000000000000-mapping.dmp

Download
memory/956-61-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/956-62-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1808-55-0x0000000000000000-mapping.dmp

Download
memory/1808-56-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1808-57-0x0000000000170000-0x0000000000192000-memory.dmp

Filesize
136KB

Download
memory/1808-60-0x0000000000170000-0x0000000000192000-memory.dmp

Filesize
136KB

Download
memory/1960-54-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download