qakbot | a06c213833ae57fff7d9c67495e6430f6a9f89f5950b2806da8df0753a0e20e4

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-11-2022 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pressurization/tricky.dll
Size

755KB
MD5

243c552f305d208b8f5f231e7f3a7f83
SHA1

6b9778430ef2563ddb9198ec2b38822aec518f77
SHA256

3905804a6dba4a25bcc469bbd18dee15e6731cbf47c233997b1829f8dac36276
SHA512

b4edac5aaa0c4a15acc1c091eedcac595d93b68cd6a98e03aad00ee36b0ac10eecb6fe7a9ad626ae7363446629053a76a160ff7cade11c695174dd085da7663d
SSDEEP

12288:FN53TigGAAaYOjrtguXsmPKtbKgvAAfRcJtjm/1kfYuqd7pJeG5mCuq6vU6Pm:FHDiTF6jT5GKg3J8MwYum7p8NCuPvU6e

Score

10^/10

qakbot bb05 1667470599 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.20

Botnet

BB05

Campaign

1667470599

181.118.183.103:443

92.239.81.124:443

174.58.146.57:443

73.223.248.31:443

86.129.13.178:2222

47.34.30.133:443

89.216.114.179:443

41.44.11.227:995

66.180.227.170:2222

46.229.194.17:443

190.74.248.136:443

88.122.208.197:32100

78.161.38.242:443

89.115.196.99:443

174.0.224.214:443

175.205.2.54:443

136.232.184.134:995

213.194.234.75:995

105.154.112.77:443

174.104.184.149:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1176	rundll32.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe
108	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1176	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1176	1336	rundll32.exe	27
PID 1336 wrote to memory of 1176	1336	rundll32.exe	27
PID 1336 wrote to memory of 1176	1336	rundll32.exe	27
PID 1336 wrote to memory of 1176	1336	rundll32.exe	27
PID 1336 wrote to memory of 1176	1336	rundll32.exe	27
PID 1336 wrote to memory of 1176	1336	rundll32.exe	27
PID 1336 wrote to memory of 1176	1336	rundll32.exe	27
PID 1176 wrote to memory of 108	1176	rundll32.exe	28
PID 1176 wrote to memory of 108	1176	rundll32.exe	28
PID 1176 wrote to memory of 108	1176	rundll32.exe	28
PID 1176 wrote to memory of 108	1176	rundll32.exe	28
PID 1176 wrote to memory of 108	1176	rundll32.exe	28
PID 1176 wrote to memory of 108	1176	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\pressurization\tricky.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\pressurization\tricky.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/108-65-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/108-66-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/1176-55-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/1176-56-0x0000000000240000-0x00000000002FF000-memory.dmp

Filesize
764KB

Download
memory/1176-57-0x0000000001F40000-0x0000000001F6A000-memory.dmp

Filesize
168KB

Download
memory/1176-59-0x0000000001F40000-0x0000000001F6A000-memory.dmp

Filesize
168KB

Download
memory/1176-58-0x0000000001F40000-0x0000000001F6A000-memory.dmp

Filesize
168KB

Download
memory/1176-60-0x0000000000430000-0x000000000045D000-memory.dmp

Filesize
180KB

Download
memory/1176-61-0x0000000001F40000-0x0000000001F6A000-memory.dmp

Filesize
168KB

Download
memory/1176-64-0x0000000001F40000-0x0000000001F6A000-memory.dmp

Filesize
168KB

Download