qakbot | 2462dfb39f340d8dcc18b659f9b4ffafbf5dc4a0e4347d56a19f873497a0e494

Analysis

max time kernel
150s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
31/10/2022, 17:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

selectable/dissatisfying.dll
Size

421KB
MD5

f64eb422a75b24a5c17652170378be83
SHA1

c046c28bffd587f07791b9dbf9b44e94d09c3f1a
SHA256

d4d435b2af9729aa9ce933182024508b8d89be94e88a91734f8d8719bb660f9a
SHA512

ffab3655152b44af3e963249e23e0957c664d2f0acbe1e46daf2207cc52bf0b2ab983f4b50a4685373f1ee307f7de81c5876a1e09e95390ae432b8de59a684d3
SSDEEP

6144:MkbHJhzU/Gr+acU2gqnEIzGOEBPepzn6WX1LB5QpK1K0we5itwWUTIAO7V:dheLacnx5dFBOpawe5iFP1V

Score

10^/10

qakbot bb05 1667208499 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.14

Botnet

BB05

Campaign

1667208499

174.77.209.5:443

187.0.1.74:23795

24.206.27.39:443

1.156.220.169:30723

156.216.39.119:995

58.186.75.42:443

1.156.197.160:30467

187.1.1.190:4844

186.18.210.16:443

1.181.56.171:771

90.165.109.4:2222

187.0.1.186:39742

87.57.13.215:443

187.0.1.207:52344

227.26.3.227:1

98.207.190.55:443

187.0.1.197:7017

188.49.56.189:443

102.156.160.115:443

187.0.1.24:17751

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1116	regsvr32.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe
1396	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1116	regsvr32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1116	1476	regsvr32.exe	27
PID 1476 wrote to memory of 1116	1476	regsvr32.exe	27
PID 1476 wrote to memory of 1116	1476	regsvr32.exe	27
PID 1476 wrote to memory of 1116	1476	regsvr32.exe	27
PID 1476 wrote to memory of 1116	1476	regsvr32.exe	27
PID 1476 wrote to memory of 1116	1476	regsvr32.exe	27
PID 1476 wrote to memory of 1116	1476	regsvr32.exe	27
PID 1116 wrote to memory of 1396	1116	regsvr32.exe	28
PID 1116 wrote to memory of 1396	1116	regsvr32.exe	28
PID 1116 wrote to memory of 1396	1116	regsvr32.exe	28
PID 1116 wrote to memory of 1396	1116	regsvr32.exe	28
PID 1116 wrote to memory of 1396	1116	regsvr32.exe	28
PID 1116 wrote to memory of 1396	1116	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\selectable\dissatisfying.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\selectable\dissatisfying.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-56-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1116-57-0x0000000000420000-0x00000000004A0000-memory.dmp

Filesize
512KB

Download
memory/1116-58-0x00000000001F0000-0x000000000021A000-memory.dmp

Filesize
168KB

Download
memory/1116-59-0x0000000000420000-0x00000000004A0000-memory.dmp

Filesize
512KB

Download
memory/1116-60-0x00000000001F0000-0x000000000021A000-memory.dmp

Filesize
168KB

Download
memory/1116-63-0x00000000001F0000-0x000000000021A000-memory.dmp

Filesize
168KB

Download
memory/1396-64-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/1396-65-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/1476-54-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download