qakbot | 5fb5b0c19b5cd855ce353df538c35dab7f74a1d00f2dbe2ccf06853b150e0dd6

Analysis

max time kernel
304s
max time network
223s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fwpolicyiomgr.dll
Size

156KB
MD5

50ec7cac279ae9cc639f3bc220c6d9b3
SHA1

4511601a140a0e78c83ee80538920a8a4bf609f8
SHA256

5fb5b0c19b5cd855ce353df538c35dab7f74a1d00f2dbe2ccf06853b150e0dd6
SHA512

acff6845e6987b4dfc18b18365c3e31eec2954b8df37b06bda72bbe9d5c408923d2b09ae5f8d01a85b03442ea80a46a49c93686763ccc16f5da768602334c2a6
SSDEEP

3072:7bLJEsAXBFa2MAnJuXTx/TBf5cy30O/ya:HFJAXBjJnJqTx/TBxb3f/

Score

10^/10

qakbot bb04 1666604608 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.1051

Botnet

BB04

Campaign

1666604608

222.117.141.133:443

198.2.51.242:993

27.110.134.202:995

172.117.139.142:995

144.202.15.58:443

193.3.19.137:443

208.78.220.120:443

45.230.169.132:995

102.157.250.192:995

93.156.96.171:443

41.109.170.156:995

58.247.115.126:995

200.233.108.153:995

197.204.107.51:443

201.68.209.47:32101

156.220.185.41:993

37.8.67.5:443

181.164.194.228:443

156.197.230.148:995

175.205.2.54:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4704 NOTEPAD.EXE

pid	process
4704	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exewermgr.exe

pid	process
4824	regsvr32.exe
4824	regsvr32.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe
1792	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

4824 regsvr32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 392 wrote to memory of 4824	392	regsvr32.exe	regsvr32.exe
PID 392 wrote to memory of 4824	392	regsvr32.exe	regsvr32.exe
PID 392 wrote to memory of 4824	392	regsvr32.exe	regsvr32.exe
PID 4824 wrote to memory of 1792	4824	regsvr32.exe	wermgr.exe
PID 4824 wrote to memory of 1792	4824	regsvr32.exe	wermgr.exe
PID 4824 wrote to memory of 1792	4824	regsvr32.exe	wermgr.exe
PID 4824 wrote to memory of 1792	4824	regsvr32.exe	wermgr.exe
PID 4824 wrote to memory of 1792	4824	regsvr32.exe	wermgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\fwpolicyiomgr.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\fwpolicyiomgr.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1792

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SplitSelect.ps1xml
1⤵
- Opens file in notepad (likely ransom note)
PID:4704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1792-133-0x0000000000000000-mapping.dmp

Download
memory/1792-134-0x00000000001C0000-0x00000000001E9000-memory.dmp

Filesize
164KB

Download
memory/1792-135-0x00000000001C0000-0x00000000001E9000-memory.dmp

Filesize
164KB

Download
memory/4824-132-0x0000000000000000-mapping.dmp

Download