qakbot | 7efe48cc66c67edf9ee025590228dbe6f2f1909b90123c4a2e0a359d3c67a2f2

Analysis

max time kernel
91s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2022, 14:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

popularization/repetitively.dll
Size

1.6MB
MD5

01109183e3eccf306278f72233e9baa5
SHA1

24c9a41d3058ede26c16f24aeec94b7164259624
SHA256

0342946e310bd6daf59ade056848fecb61509e3ab60e154e1a5cd741b1bfbc1c
SHA512

757b1f72f3982ab09b47eca668583248bad760ea256cb3c1417996b7643940e13585c7e42fb1259e3cc4d16f5dd122f51faea96e43837d0781d1b124f6c8aa73
SSDEEP

24576:12gUXd2F9pZ6gGxxuFZ9HpuKt5VIWZypPsHycDizFitRCFvEx1eZXJM5T//I5:12gOYNWuFZ9JAEHNWFOWvEDG5M

Score

10^/10

qakbot bb02 1665761649 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.973

Botnet

BB02

Campaign

1665761649

211.47.11.62:33850

104.233.202.195:443

105.156.242.71:443

45.230.169.132:995

181.197.41.173:443

197.0.89.147:443

191.254.53.134:995

190.204.74.4:2222

46.185.147.165:443

190.26.159.133:995

177.205.74.14:2222

197.63.250.197:993

45.230.169.132:443

156.212.50.148:443

193.27.13.28:32100

190.200.10.82:2222

31.166.182.166:443

179.105.182.216:995

193.201.187.64:443

1.53.101.75:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1504	2040	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2040	rundll32.exe
2040	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 2040	3420	rundll32.exe	79
PID 3420 wrote to memory of 2040	3420	rundll32.exe	79
PID 3420 wrote to memory of 2040	3420	rundll32.exe	79

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\popularization\repetitively.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\popularization\repetitively.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 688
    3⤵
    - Program crash
    PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2040 -ip 2040
1⤵
PID:4544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2040-133-0x00000000021C0000-0x0000000002368000-memory.dmp

Filesize
1.7MB

Download
memory/2040-134-0x0000000002930000-0x0000000002959000-memory.dmp

Filesize
164KB

Download
memory/2040-136-0x0000000002930000-0x0000000002959000-memory.dmp

Filesize
164KB

Download
memory/2040-135-0x00000000028A0000-0x00000000028CA000-memory.dmp

Filesize
168KB

Download