Overview

overview

10

Static

static

qbot.dll

windows7-x64

1

qbot.dll

windows10-2004-x64

10

Resubmissions

26/10/2022, 15:38

221026-s3c6ragba6 10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/10/2022, 15:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    qbot.dll

  • Size

    502KB

  • MD5

    a4e2d9a3da5ce54d2fc19c996757b86a

  • SHA1

    ce44ba7151528ca73be82737ea142dc5e76394b7

  • SHA256

    dbddf15af96147af422ab24fe6d8b5ef06af06a0a8d41362db8edd400f778546

  • SHA512

    e52f13ab245121b45d4f5e110cd0aa4d0c8e83c59a9b4f8e3457df41d254bacb6cd5b3c2bc50c6f4a7125b8a23870de358d0f917ea65b1e5f820a83003f9964d

  • SSDEEP

    6144:KSGYaRyE5Na5otGQkAVFOaqyrGAO87yH3pkNNUoGMHbn/WRCGxIIcAB:DGYGvMc5EyKi70YNUoj7iB

Score
10/10
qakbotbb041666690935bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.1051

Botnet

BB04

Campaign

1666690935

C2

181.164.194.228:443

24.116.45.121:443

190.74.248.136:443

24.206.27.39:443

27.110.134.202:995

2.88.206.121:443

71.199.168.185:443

200.233.108.153:995

198.2.51.242:993

172.117.139.142:995

70.115.104.126:443

144.202.15.58:443

190.24.45.24:995

24.9.220.167:443

58.247.115.126:995

193.3.19.137:443

45.230.169.132:995

68.62.199.70:443

43.241.159.238:443

113.162.196.232:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\qbot.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\qbot.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Windows\SysWOW64\wermgr.exe
        C:\Windows\SysWOW64\wermgr.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/452-140-0x0000000000140000-0x0000000000169000-memory.dmp

    Filesize

    164KB

    Download

  • memory/452-141-0x0000000000140000-0x0000000000169000-memory.dmp

    Filesize

    164KB

    Download

  • memory/5012-133-0x0000000074CA0000-0x0000000074D22000-memory.dmp

    Filesize

    520KB

    Download

  • memory/5012-134-0x0000000074CA0000-0x0000000074D22000-memory.dmp

    Filesize

    520KB

    Download

  • memory/5012-135-0x0000000000740000-0x00000000007B1000-memory.dmp

    Filesize

    452KB

    Download

  • memory/5012-136-0x0000000000A00000-0x0000000000A29000-memory.dmp

    Filesize

    164KB

    Download

  • memory/5012-138-0x0000000074CA0000-0x0000000074D22000-memory.dmp

    Filesize

    520KB

    Download

  • memory/5012-139-0x0000000000A00000-0x0000000000A29000-memory.dmp

    Filesize

    164KB

    Download