qakbot | 04e728e2b6adc761a8d17b8dd354be060a050b07ac2ff3fe64103c65dccdee68

Analysis

max time kernel
150s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/11/2022, 15:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

sketched.dll
Size

573KB
MD5

ef79265d5ddaa3b3faffdc78415c68fc
SHA1

f0a0fc3ee6b0060791ae0fdbd599166f791ce5b7
SHA256

04e728e2b6adc761a8d17b8dd354be060a050b07ac2ff3fe64103c65dccdee68
SHA512

ff622a1f3ae659b9439b125a710fc2a8a92168daef57a2b4a37b0a68e4435522a59d8043e98cd3aa0c1b880e4e2bd6f5dc01a5512435b15031dff44f2a8a9d27
SSDEEP

12288:2ahjmQWJTT3QHljUn6UFsRnlpf/lEHunLQuiXvgmNm4aZ:nhylRjQFA6UFsFlpftEOnLq/m

Score

10^/10

qakbot bb05 1667470564 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.20

Botnet

BB05

Campaign

1667470564

181.118.183.103:443

187.0.1.73:57336

41.44.11.227:995

1.66.180.227:43528

187.0.1.190:19192

174.0.224.214:443

1.175.205.2:13825

109.159.119.162:2222

45.49.137.80:443

1.92.24.200:57859

149.126.159.224:443

1.91.68.227:56065

82.141.152.214:443

212.251.122.147:995

92.185.204.18:2078

1.172.249.99:36616

187.1.1.190:6189

80.0.74.165:443

209.0.1.81:40739

197.204.182.47:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1524	regsvr32.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe
672	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1524	regsvr32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 1524	1328	regsvr32.exe	27
PID 1328 wrote to memory of 1524	1328	regsvr32.exe	27
PID 1328 wrote to memory of 1524	1328	regsvr32.exe	27
PID 1328 wrote to memory of 1524	1328	regsvr32.exe	27
PID 1328 wrote to memory of 1524	1328	regsvr32.exe	27
PID 1328 wrote to memory of 1524	1328	regsvr32.exe	27
PID 1328 wrote to memory of 1524	1328	regsvr32.exe	27
PID 1524 wrote to memory of 672	1524	regsvr32.exe	28
PID 1524 wrote to memory of 672	1524	regsvr32.exe	28
PID 1524 wrote to memory of 672	1524	regsvr32.exe	28
PID 1524 wrote to memory of 672	1524	regsvr32.exe	28
PID 1524 wrote to memory of 672	1524	regsvr32.exe	28
PID 1524 wrote to memory of 672	1524	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\sketched.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\sketched.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/672-65-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/672-66-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/1328-54-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

Filesize
8KB

Download
memory/1524-56-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1524-57-0x00000000008F0000-0x000000000091A000-memory.dmp

Filesize
168KB

Download
memory/1524-58-0x00000000008F0000-0x000000000091A000-memory.dmp

Filesize
168KB

Download
memory/1524-59-0x0000000000250000-0x000000000027C000-memory.dmp

Filesize
176KB

Download
memory/1524-60-0x00000000008F0000-0x0000000000970000-memory.dmp

Filesize
512KB

Download
memory/1524-61-0x00000000008F0000-0x0000000000970000-memory.dmp

Filesize
512KB

Download
memory/1524-64-0x00000000008F0000-0x000000000091A000-memory.dmp

Filesize
168KB

Download