qakbot | 25e42494f8008f4223915589df9d3b7dc069f66a42ac99a0bfee775a5dcf918e

Analysis

max time kernel
300s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2022, 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6438/jeopardizes.dll
Size

386KB
MD5

5c9ada08bd83cd885f7d9aed0c498b77
SHA1

311076e76abfdc7bcfe0bb46740e4c7e9e71b3dd
SHA256

e6fccbd534ed2d3e60263b7fd1611b4cbaca6a1ebc68b8210a57cb1f3de519ca
SHA512

fedf070e05d00cb1e26a6bbdf25afe15f6e6008e47df572df5b6141410f994ebd704b3c98c9219fa43ada0365f5961f02f82162c780c8d8cc08a89e07cec610c
SSDEEP

6144:XtgTFlqteWTBa5WsoUReNsyLK9p8WqniKS9jyA9yjHHXsBcfmL/p+LIORL6qYFYM:d8z4TU5WsoURzN9KtniPHlQEFYM

Score

10^/10

qakbot banker stealer trojan

Malware Config

Extracted

Family

qakbot

78.94.148.92:1753

134.180.185.240:32987

201.136.101.182:38323

124.77.95.5:46163

196.90.29.190:30693

187.144.110.117:36330

10.44.33.140:65267

162.117.200.91:29984

159.254.223.192:31154

11.239.81.233:37

31.248.76.23:24072

224.77.182.18:55579

124.230.27.11:44408

205.255.39.94:54675

192.1.213.104:14212

145.3.120.239:20068

242.199.30.106:9157

243.240.195.106:42825

74.234.32.185:42698

102.51.5.67:47820

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4172	regsvr32.exe
4172	regsvr32.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe
4544	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4172	regsvr32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 4172	4896	regsvr32.exe	81
PID 4896 wrote to memory of 4172	4896	regsvr32.exe	81
PID 4896 wrote to memory of 4172	4896	regsvr32.exe	81
PID 4172 wrote to memory of 4544	4172	regsvr32.exe	85
PID 4172 wrote to memory of 4544	4172	regsvr32.exe	85
PID 4172 wrote to memory of 4544	4172	regsvr32.exe	85
PID 4172 wrote to memory of 4544	4172	regsvr32.exe	85
PID 4172 wrote to memory of 4544	4172	regsvr32.exe	85

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6438\jeopardizes.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\6438\jeopardizes.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4172-133-0x0000000002A80000-0x0000000002AA2000-memory.dmp

Filesize
136KB

Download
memory/4172-135-0x0000000002A80000-0x0000000002AA2000-memory.dmp

Filesize
136KB

Download
memory/4544-136-0x0000000000800000-0x0000000000822000-memory.dmp

Filesize
136KB

Download
memory/4544-137-0x0000000000800000-0x0000000000822000-memory.dmp

Filesize
136KB

Download