qakbot | fd18b58235e50379b775cc3cbabdc8df599e71f787b2d286281999c24ecc18f8

Analysis

max time kernel
150s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd18b58235e50379b775cc3cbabdc8df599e71f787b2d286281999c24ecc18f8.dll
Size

384KB
MD5

1fa2068f08d1c55f06d6c33cb846f9ad
SHA1

e305efe7987be1a91cdf39daa6bd1b19bc8c694c
SHA256

fd18b58235e50379b775cc3cbabdc8df599e71f787b2d286281999c24ecc18f8
SHA512

c2a2b84e2549be4078397650470f40d7f1b3c7385eab182e91ee2af09aea429c307b778d16e7b5673a10946485ef1db790d21878a4f752ed59e3061687898764
SSDEEP

6144:OwWNVNYHWRZMZeiVt5p682MkWgylrBeKd5bYBWzjCvIuwDJnpCKHbrxOG53KPNs:Ol5eWt82Mk6lroKsLguiHOPNs

Score

10^/10

qakbot bb 1665048878 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.914

Botnet

Campaign

1665048878

6.214.34.86:37718

181.164.194.228:443

197.158.89.85:443

14.230.199.98:443

105.101.23.180:443

41.104.205.128:443

134.35.6.76:443

197.202.163.4:443

105.159.124.224:443

41.96.33.236:443

181.141.3.126:443

163.182.177.80:443

41.248.72.229:8443

41.100.62.129:443

68.83.169.91:443

190.29.228.61:443

160.176.249.11:995

41.107.54.99:443

94.52.127.44:443

105.69.155.85:995

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1984	regsvr32.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1984	regsvr32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1984	2000	regsvr32.exe	26
PID 2000 wrote to memory of 1984	2000	regsvr32.exe	26
PID 2000 wrote to memory of 1984	2000	regsvr32.exe	26
PID 2000 wrote to memory of 1984	2000	regsvr32.exe	26
PID 2000 wrote to memory of 1984	2000	regsvr32.exe	26
PID 2000 wrote to memory of 1984	2000	regsvr32.exe	26
PID 2000 wrote to memory of 1984	2000	regsvr32.exe	26
PID 1984 wrote to memory of 1744	1984	regsvr32.exe	27
PID 1984 wrote to memory of 1744	1984	regsvr32.exe	27
PID 1984 wrote to memory of 1744	1984	regsvr32.exe	27
PID 1984 wrote to memory of 1744	1984	regsvr32.exe	27
PID 1984 wrote to memory of 1744	1984	regsvr32.exe	27
PID 1984 wrote to memory of 1744	1984	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\fd18b58235e50379b775cc3cbabdc8df599e71f787b2d286281999c24ecc18f8.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\fd18b58235e50379b775cc3cbabdc8df599e71f787b2d286281999c24ecc18f8.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1744-61-0x00000000000E0000-0x0000000000102000-memory.dmp

Filesize
136KB

Download
memory/1744-62-0x00000000000E0000-0x0000000000102000-memory.dmp

Filesize
136KB

Download
memory/1984-56-0x00000000754E1000-0x00000000754E3000-memory.dmp

Filesize
8KB

Download
memory/1984-57-0x0000000000170000-0x0000000000192000-memory.dmp

Filesize
136KB

Download
memory/1984-60-0x0000000000170000-0x0000000000192000-memory.dmp

Filesize
136KB

Download
memory/2000-54-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download