qakbot | 070003eb267e8c10b998416d8d5f08e8d2c2a2f2b518c592b80eebc3ea1e534b

Analysis

max time kernel
160s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2022 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6438/grassing.dll
Size

386KB
MD5

f6f4f1bbe873a35bdfffffc0c00b61af
SHA1

7d831da7bd7aa594b4efa0f07ea9ee0748fdb9cb
SHA256

9ef5f5a55db078bbcf60cb9750349ab35f3ef88e8c5574f23fb77a485d0ba603
SHA512

6803d2324c13625c50cd8564af9fc2947e277c2c2b9a5aa27d740eb05bde9847795c105f73f515b1f887b2b313287e0db10c19b2e444be87588a7fc04a500e58
SSDEEP

6144:XtgTFlqteWTBa5WsoUReNsyLK998WqniKS9jyA9yjHHXsBcfmL/p+LIORL6qYFYM:d8z4TU5WsoURzN92tniPHlQEFYM

Score

10^/10

qakbot banker stealer trojan

Malware Config

Extracted

Family

qakbot

78.94.148.92:1753

134.180.185.240:32987

201.136.101.182:38323

124.77.95.5:46163

196.90.29.190:30693

187.144.110.117:36330

10.44.33.140:65267

162.117.200.91:29984

159.254.223.192:31154

11.239.81.233:37

31.248.76.23:24072

224.77.182.18:55579

124.230.27.11:44408

205.255.39.94:54675

192.1.213.104:14212

145.3.120.239:20068

242.199.30.106:9157

243.240.195.106:42825

74.234.32.185:42698

102.51.5.67:47820

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4816	regsvr32.exe
4816	regsvr32.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe
2016	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4816	regsvr32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 4816	1116	regsvr32.exe	83
PID 1116 wrote to memory of 4816	1116	regsvr32.exe	83
PID 1116 wrote to memory of 4816	1116	regsvr32.exe	83
PID 4816 wrote to memory of 2016	4816	regsvr32.exe	84
PID 4816 wrote to memory of 2016	4816	regsvr32.exe	84
PID 4816 wrote to memory of 2016	4816	regsvr32.exe	84
PID 4816 wrote to memory of 2016	4816	regsvr32.exe	84
PID 4816 wrote to memory of 2016	4816	regsvr32.exe	84

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6438\grassing.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\6438\grassing.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2016-136-0x0000000000460000-0x0000000000482000-memory.dmp

Filesize
136KB

Download
memory/2016-137-0x0000000000460000-0x0000000000482000-memory.dmp

Filesize
136KB

Download
memory/4816-133-0x0000000000E40000-0x0000000000E62000-memory.dmp

Filesize
136KB

Download
memory/4816-135-0x0000000000E40000-0x0000000000E62000-memory.dmp

Filesize
136KB

Download