qakbot | 9ebb684f13367a8b7817b787a5374f9072f9338d657c255403d991f50f6ce80c

Resubmissions

19-10-2022 05:21

221019-f2f5ssfchl 10

13-10-2022 08:23

221013-j98rkabee4 1

11-10-2022 23:51

221011-3v5adabff8 3

Analysis

max time kernel
150s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-10-2022 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cossacks.dat.dll
Size

743KB
MD5

25d8d740a5611fb6ab2e6df583c24a00
SHA1

41142c72f3f37fad22b01c6bd9eaf572551ff465
SHA256

9ebb684f13367a8b7817b787a5374f9072f9338d657c255403d991f50f6ce80c
SHA512

2de372428bac53af5fca71e443c6f9d7ebed9bf75faf76295c5f87aad1b1a51d6c6bbe5eb418cf9a5b65d29f81bb69a2bd64cfa9cdb640c9c259f2c43f57856b
SSDEEP

12288:e+4QHixeljmtjVFJcPp+cygICZoxlSr9p6q6xMZXJMeGbX//7OT:5DXjmtjVD3cygICZwSJp6q6yZXJM5T/c

Score

10^/10

qakbot obama212 1665497532 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.973

Botnet

obama212

Campaign

1665497532

190.11.198.76:443

41.111.85.167:443

134.35.2.138:443

105.108.80.229:443

179.113.97.4:32101

197.158.89.85:443

197.204.101.178:443

105.69.147.88:995

41.103.252.215:443

41.104.109.190:443

41.107.209.163:443

14.227.159.241:443

82.12.196.197:443

103.156.237.139:443

196.235.137.166:443

181.141.3.126:443

102.157.22.8:443

41.111.52.120:443

197.92.143.218:443

181.44.34.172:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1120	rundll32.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe
704	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1120	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1120	1904	rundll32.exe	26
PID 1904 wrote to memory of 1120	1904	rundll32.exe	26
PID 1904 wrote to memory of 1120	1904	rundll32.exe	26
PID 1904 wrote to memory of 1120	1904	rundll32.exe	26
PID 1904 wrote to memory of 1120	1904	rundll32.exe	26
PID 1904 wrote to memory of 1120	1904	rundll32.exe	26
PID 1904 wrote to memory of 1120	1904	rundll32.exe	26
PID 1120 wrote to memory of 704	1120	rundll32.exe	27
PID 1120 wrote to memory of 704	1120	rundll32.exe	27
PID 1120 wrote to memory of 704	1120	rundll32.exe	27
PID 1120 wrote to memory of 704	1120	rundll32.exe	27
PID 1120 wrote to memory of 704	1120	rundll32.exe	27
PID 1120 wrote to memory of 704	1120	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cossacks.dat.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cossacks.dat.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/704-62-0x0000000000000000-mapping.dmp

Download
memory/704-64-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/704-66-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/1120-54-0x0000000000000000-mapping.dmp

Download
memory/1120-55-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1120-56-0x0000000000820000-0x00000000008DE000-memory.dmp

Filesize
760KB

Download
memory/1120-57-0x00000000007A0000-0x00000000007C9000-memory.dmp

Filesize
164KB

Download
memory/1120-58-0x00000000007A0000-0x00000000007C9000-memory.dmp

Filesize
164KB

Download
memory/1120-59-0x00000000007A0000-0x00000000007C9000-memory.dmp

Filesize
164KB

Download
memory/1120-60-0x0000000000700000-0x0000000000729000-memory.dmp

Filesize
164KB

Download
memory/1120-61-0x00000000007A0000-0x00000000007C9000-memory.dmp

Filesize
164KB

Download
memory/1120-65-0x00000000007A0000-0x00000000007C9000-memory.dmp

Filesize
164KB

Download