qakbot | a70d230fcf14f2e65d05fdb0585a33010ccf9e45eb429fcf5ff8763dc48198da

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.bat
Size

48B
MD5

7d417b8d0568db2290d8896f56c72a04
SHA1

90ab04363811f62afc410b5647381254a9f8af81
SHA256

f44ee57a5ec075a4ae3d63cc4d98a31eae026423bb3748213fac7e8c8f4553e3
SHA512

7aa0129c88cf9081feb356f02c435e636b8331b241a4600e4ae3b104865922469f0cd134655b88243a06959e1412dc5614cc3a4ae76abbac8e35070ce62b98a9

Score

10^/10

qakbot bb08 1669902931 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

BB08

Campaign

1669902931

71.46.234.171:443

50.68.204.71:443

186.28.89.170:995

50.68.204.71:993

62.31.130.138:465

152.170.17.136:443

108.162.6.34:995

24.142.218.202:443

67.61.71.201:443

65.95.85.172:2222

50.232.21.70:995

76.184.95.190:993

47.16.69.220:2222

178.169.196.115:443

184.64.44.21:443

12.172.173.82:22

77.126.81.208:443

38.69.136.177:995

174.104.184.149:443

173.18.126.3:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
1532	rundll32.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe
1740	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1532 rundll32.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 340 wrote to memory of 1320	340	cmd.exe	rundll32.exe
PID 340 wrote to memory of 1320	340	cmd.exe	rundll32.exe
PID 340 wrote to memory of 1320	340	cmd.exe	rundll32.exe
PID 1320 wrote to memory of 1532	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 1532	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 1532	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 1532	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 1532	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 1532	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 1532	1320	rundll32.exe	rundll32.exe
PID 1532 wrote to memory of 1740	1532	rundll32.exe	wermgr.exe
PID 1532 wrote to memory of 1740	1532	rundll32.exe	wermgr.exe
PID 1532 wrote to memory of 1740	1532	rundll32.exe	wermgr.exe
PID 1532 wrote to memory of 1740	1532	rundll32.exe	wermgr.exe
PID 1532 wrote to memory of 1740	1532	rundll32.exe	wermgr.exe
PID 1532 wrote to memory of 1740	1532	rundll32.exe	wermgr.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\deciliter.tmp,DrawThemeIcon
2⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\deciliter.tmp,DrawThemeIcon
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1740

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1320-54-0x0000000000000000-mapping.dmp

Download
memory/1532-55-0x0000000000000000-mapping.dmp

Download
memory/1532-56-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/1532-57-0x00000000007E0000-0x0000000000853000-memory.dmp

Filesize
460KB

Download
memory/1532-58-0x0000000000200000-0x000000000022A000-memory.dmp

Filesize
168KB

Download
memory/1532-61-0x0000000000200000-0x000000000022A000-memory.dmp

Filesize
168KB

Download
memory/1740-59-0x0000000000000000-mapping.dmp

Download
memory/1740-62-0x0000000000120000-0x000000000014A000-memory.dmp

Filesize
168KB

Download
memory/1740-63-0x0000000000120000-0x000000000014A000-memory.dmp

Filesize
168KB

Download