qakbot | f62cb5e80fdc9b25cd30ee002a9af4deadf78d6f9bbef6df22cd4a37bc6c1cf9

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 00:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f62cb5e80fdc9b25cd30ee002a9af4deadf78d6f9bbef6df22cd4a37bc6c1cf9.dll
Size

773KB
MD5

013f6f17ce0b69d8a709496ecfe9a756
SHA1

72b3aa3730e4289223d3d7dbb63fa3878ebfe451
SHA256

f62cb5e80fdc9b25cd30ee002a9af4deadf78d6f9bbef6df22cd4a37bc6c1cf9
SHA512

051a2e6ed25b5e7cb16a79ace4248015c24af431f31a0b39606f7f7e5be7d01ad6d9ade6a6a528d3fca37d58e0aa5d0d38ba6c5eafc8a9b7a2468e413b9e1acb
SSDEEP

12288:zxnt9hlMvNICAY0KEkAOl7G79Ph0TF38ME:tt9+JFEkAmGAB38M

Score

10^/10

qakbot bb 1664801753 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.902

Botnet

Campaign

1664801753

160.179.220.87:995

186.86.212.138:443

180.180.213.94:995

186.125.93.28:443

31.167.72.198:443

78.162.213.155:443

46.10.105.160:443

41.105.54.8:443

41.108.175.56:443

188.156.85.37:443

94.52.127.44:443

79.168.151.143:443

189.79.27.174:995

179.178.249.16:443

23.225.104.250:443

134.35.11.71:443

197.204.126.136:443

197.205.168.243:443

58.186.75.42:443

41.96.18.5:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4380	952	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
952	rundll32.exe
952	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 952	4312	rundll32.exe	83
PID 4312 wrote to memory of 952	4312	rundll32.exe	83
PID 4312 wrote to memory of 952	4312	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f62cb5e80fdc9b25cd30ee002a9af4deadf78d6f9bbef6df22cd4a37bc6c1cf9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f62cb5e80fdc9b25cd30ee002a9af4deadf78d6f9bbef6df22cd4a37bc6c1cf9.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 688
    3⤵
    - Program crash
    PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 952 -ip 952
1⤵
PID:4028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/952-133-0x0000000002330000-0x00000000023EF000-memory.dmp

Filesize
764KB

Download
memory/952-134-0x00000000025B0000-0x00000000025D2000-memory.dmp

Filesize
136KB

Download
memory/952-135-0x0000000002560000-0x00000000025A1000-memory.dmp

Filesize
260KB

Download
memory/952-136-0x00000000025B0000-0x00000000025D2000-memory.dmp

Filesize
136KB

Download