Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2023, 13:26

General

  • Target

    packed_qbot.dll

  • Size

    1.4MB

  • MD5

    d586a82d0083540a98b3285f95c1d94e

  • SHA1

    40f1462b7a5394b59fb595bf5b44a94862f54f63

  • SHA256

    2c6697caf6ced04d06b0926d982c210a8cd300449b1b2423427a337486813316

  • SHA512

    88683d5d5e854af9a50b7ca09a78b1b8a4c9cb36fb4f7854dee2d4de5fc0fe533e3f2fd5096ac1d1fdea1198877c47ea590287046337aa2dfea7fb07c61add1e

  • SSDEEP

    24576:873YrrLEaF0tTHMjuX5PmnKUz3NL3BAYJWDJnh+idFsv3YgPmHFWcD:8n

Malware Config

Extracted

Family

qakbot

Version

403.549

Botnet

obama174

Campaign

1649228671

C2

108.60.213.141:443

103.230.180.119:443

75.99.168.194:443

86.195.158.178:2222

72.76.94.99:443

96.21.251.127:2222

39.52.34.138:995

5.95.58.211:2087

140.82.49.12:443

31.215.185.114:2222

182.191.92.203:995

176.67.56.94:443

39.44.144.159:995

197.162.118.178:993

37.210.238.79:61202

203.122.46.130:443

148.64.96.100:443

94.36.195.250:2222

47.180.172.159:443

47.23.89.62:995

Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\packed_qbot.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4108
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\packed_qbot.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3164
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4984

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3164-133-0x0000000010000000-0x000000001006C000-memory.dmp

          Filesize

          432KB

        • memory/4984-140-0x00000000008B0000-0x000000000091C000-memory.dmp

          Filesize

          432KB

        • memory/4984-141-0x00000000008B0000-0x000000000091C000-memory.dmp

          Filesize

          432KB