qakbot | cb5b8365be065ab9870b15a524decf7474575b0b14e796ee77d6f482dfb6d53c

Resubmissions

20-12-2022 12:09

221220-pbrnaahd79 10

31-10-2022 07:39

221031-jg24baadb3 10

Analysis

max time kernel
445s
max time network
442s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2022 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mal.dll
Size

628KB
MD5

0b027723b5af33dad8219cbdcd44ad9a
SHA1

b2243901845b163db104ec790b983222f0691a94
SHA256

cb5b8365be065ab9870b15a524decf7474575b0b14e796ee77d6f482dfb6d53c
SHA512

82bdeb901957d45f9d72705863a3599fdbc57fc0ce2f3c5cd191e47ab754bd899715d290c189a512d0fcb804c6ec3cfe9cef3cb496a45e4eff54b74d1a29692e
SSDEEP

12288:8x8IFmbH8yS5XXUrIVcxxn/5IOT2LY/O9bBoY//w:R6y8bRZARhI/LoO9bBoY/4

Score

10^/10

qakbot obama218 1666870886 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.2

Botnet

obama218

Campaign

1666870886

24.206.27.39:443

1.102.156.146:8707

187.1.1.118:44751

172.117.139.142:995

1.181.118.183:31745

45.35.97.45:443

187.0.1.27:28294

58.247.115.126:995

1.24.9.220:42753

187.1.1.186:48208

112.141.184.246:995

201.223.169.238:32100

68.62.199.70:443

45.49.137.80:443

187.0.1.172:28709

102.159.236.29:443

183.242.1.187:1

186.48.161.130:995

191.33.187.192:2222

154.181.228.27:995

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4000	1312	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1312	rundll32.exe
1312	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 1312	4252	rundll32.exe	82
PID 4252 wrote to memory of 1312	4252	rundll32.exe	82
PID 4252 wrote to memory of 1312	4252	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mal.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\mal.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 712
    3⤵
    - Program crash
    PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1312 -ip 1312
1⤵
PID:2320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1312-133-0x0000000002D50000-0x0000000002D79000-memory.dmp

Filesize
164KB

Download
memory/1312-134-0x0000000002CF0000-0x0000000002D1A000-memory.dmp

Filesize
168KB

Download
memory/1312-135-0x0000000002D50000-0x0000000002D79000-memory.dmp

Filesize
164KB

Download