qakbot | 6dfad8c5a6a3e85dd5b9f9aab41729320774b7afe0494b05fbb7627a6e59df75

General

Target

1.dll
Size

798KB
MD5

f6802a45a09c3b62b2d59bc30f4c0eb1
SHA1

66b7672e5520c62398a3374ed935786111889126
SHA256

6dfad8c5a6a3e85dd5b9f9aab41729320774b7afe0494b05fbb7627a6e59df75
SHA512

3c43248506b87c258208e7417d66077a5d2793f2839bd42236e7b0506527e8cfc028f8977d31e3331e2ff4c088e137bd56f9ebf0caab809a8634c2c1a50cf61e
SSDEEP

24576:sikjPg+4QceLhb6fMYaq4RPaOFmyjAjX:Bk0YBq6fjqX

Score

10^/10

qakbot bb12 1675161160 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.432

Botnet

BB12

Campaign

1675161160

C2

114.143.176.234:443

88.126.94.4:50000

103.252.7.228:443

87.10.205.117:443

82.15.58.109:2222

72.80.7.6:995

90.162.45.154:2222

47.34.30.133:443

50.68.204.71:993

112.141.184.246:995

73.165.119.20:443

91.169.12.198:32100

173.18.126.3:443

87.56.238.53:443

85.241.180.94:443

12.172.173.82:50001

92.154.17.149:2222

103.42.86.246:995

12.172.173.82:990

91.254.132.23:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

892 rundll32.exe
892 rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
892	rundll32.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe
568	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

892 rundll32.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1632 wrote to memory of 892	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 892	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 892	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 892	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 892	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 892	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 892	1632	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 656	892	rundll32.exe	wermgr.exe
PID 892 wrote to memory of 656	892	rundll32.exe	wermgr.exe
PID 892 wrote to memory of 656	892	rundll32.exe	wermgr.exe
PID 892 wrote to memory of 656	892	rundll32.exe	wermgr.exe
PID 892 wrote to memory of 568	892	rundll32.exe	wermgr.exe
PID 892 wrote to memory of 568	892	rundll32.exe	wermgr.exe
PID 892 wrote to memory of 568	892	rundll32.exe	wermgr.exe
PID 892 wrote to memory of 568	892	rundll32.exe	wermgr.exe
PID 892 wrote to memory of 568	892	rundll32.exe	wermgr.exe
PID 892 wrote to memory of 568	892	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
PID:656

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:568

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\2578197E.dll
Filesize
268KB

MD5
53bb811ed12d2c867b354390fabf9612

SHA1
81b29c540c0e2a09385cf7e821639ff64fbffd91

SHA256
a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133

SHA512
5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24

Download Submit
\Users\Admin\AppData\Local\Temp\B1AEA159.dll
Filesize
268KB

MD5
53bb811ed12d2c867b354390fabf9612

SHA1
81b29c540c0e2a09385cf7e821639ff64fbffd91

SHA256
a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133

SHA512
5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24

Download Submit
memory/568-68-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/568-67-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/568-64-0x0000000000000000-mapping.dmp

Download
memory/892-57-0x00000000007B0000-0x00000000007D3000-memory.dmp

Filesize
140KB

Download
memory/892-60-0x00000000007F0000-0x0000000000822000-memory.dmp

Filesize
200KB

Download
memory/892-61-0x00000000007B0000-0x00000000007D3000-memory.dmp

Filesize
140KB

Download
memory/892-59-0x00000000007B0000-0x00000000007D3000-memory.dmp

Filesize
140KB

Download
memory/892-58-0x00000000007B0000-0x00000000007D3000-memory.dmp

Filesize
140KB

Download
memory/892-54-0x0000000000000000-mapping.dmp

Download
memory/892-66-0x00000000007B0000-0x00000000007D3000-memory.dmp

Filesize
140KB

Download
memory/892-56-0x00000000006E0000-0x00000000007AA000-memory.dmp

Filesize
808KB

Download
memory/892-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing