qakbot | 284f0fabbdfc1172cb1cbf74473321668c4b31789d93158669f6735bec124817

General

Target

d.dll
Size

667KB
MD5

14e10643eb6346b995517d1c1a6de52d
SHA1

e902c68a65b38eb099289b890f055c60d2733010
SHA256

284f0fabbdfc1172cb1cbf74473321668c4b31789d93158669f6735bec124817
SHA512

5621e57ac77fdc47b5898f3a87d43d556bcc215ec33351f225d38e514992c92d66041bdfb55c77c2f127ea9b49b9a2a6fc6e1010d563efaaf24161712027ef5b
SSDEEP

12288:ubjQRl3iZwl3JBrySD9CkkqC28DWl0RJK2LgAN4c1DZx+vaPpsnRlZ3+u:uHWZiZCCMCkkbRDeSjcjc1DZUyBsRD

Score

10^/10

qakbot bb12 1675243711 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.438

Botnet

BB12

Campaign

1675243711

C2

12.172.173.82:2087

95.94.41.77:2222

73.22.121.210:443

200.109.207.186:2222

75.143.236.149:443

69.133.162.35:443

197.148.17.17:2078

82.36.36.76:443

27.0.48.233:443

90.162.45.154:2222

125.20.112.94:443

150.107.231.59:2222

91.82.5.101:443

217.128.91.196:2222

73.161.176.218:443

50.60.157.175:995

190.199.188.186:2222

93.147.235.8:443

183.87.163.165:443

82.121.195.187:2222

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2036 rundll32.exe
2036 rundll32.exe
468 rundll32.exe
468 rundll32.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

rundll32.exerundll32.exewermgr.exe

pid	process
2036	rundll32.exe
468	rundll32.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe
1536	wermgr.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2036 rundll32.exe
468 rundll32.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

rundll32.execmd.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 112 wrote to memory of 1472	112	rundll32.exe	rundll32.exe
PID 112 wrote to memory of 1472	112	rundll32.exe	rundll32.exe
PID 112 wrote to memory of 1472	112	rundll32.exe	rundll32.exe
PID 112 wrote to memory of 1472	112	rundll32.exe	rundll32.exe
PID 112 wrote to memory of 1472	112	rundll32.exe	rundll32.exe
PID 112 wrote to memory of 1472	112	rundll32.exe	rundll32.exe
PID 112 wrote to memory of 1472	112	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1516	1800	cmd.exe	rundll32.exe
PID 1800 wrote to memory of 1516	1800	cmd.exe	rundll32.exe
PID 1800 wrote to memory of 1516	1800	cmd.exe	rundll32.exe
PID 1516 wrote to memory of 2036	1516	rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 2036	1516	rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 2036	1516	rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 2036	1516	rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 2036	1516	rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 2036	1516	rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 2036	1516	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 760	1800	cmd.exe	rundll32.exe
PID 1800 wrote to memory of 760	1800	cmd.exe	rundll32.exe
PID 1800 wrote to memory of 760	1800	cmd.exe	rundll32.exe
PID 760 wrote to memory of 468	760	rundll32.exe	rundll32.exe
PID 760 wrote to memory of 468	760	rundll32.exe	rundll32.exe
PID 760 wrote to memory of 468	760	rundll32.exe	rundll32.exe
PID 760 wrote to memory of 468	760	rundll32.exe	rundll32.exe
PID 760 wrote to memory of 468	760	rundll32.exe	rundll32.exe
PID 760 wrote to memory of 468	760	rundll32.exe	rundll32.exe
PID 760 wrote to memory of 468	760	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 608	2036	rundll32.exe	wermgr.exe
PID 2036 wrote to memory of 608	2036	rundll32.exe	wermgr.exe
PID 2036 wrote to memory of 608	2036	rundll32.exe	wermgr.exe
PID 2036 wrote to memory of 608	2036	rundll32.exe	wermgr.exe
PID 2036 wrote to memory of 1536	2036	rundll32.exe	wermgr.exe
PID 2036 wrote to memory of 1536	2036	rundll32.exe	wermgr.exe
PID 2036 wrote to memory of 1536	2036	rundll32.exe	wermgr.exe
PID 2036 wrote to memory of 1536	2036	rundll32.exe	wermgr.exe
PID 2036 wrote to memory of 1536	2036	rundll32.exe	wermgr.exe
PID 2036 wrote to memory of 1536	2036	rundll32.exe	wermgr.exe
PID 468 wrote to memory of 1696	468	rundll32.exe	wermgr.exe
PID 468 wrote to memory of 1696	468	rundll32.exe	wermgr.exe
PID 468 wrote to memory of 1696	468	rundll32.exe	wermgr.exe
PID 468 wrote to memory of 1696	468	rundll32.exe	wermgr.exe
PID 468 wrote to memory of 2020	468	rundll32.exe	wermgr.exe
PID 468 wrote to memory of 2020	468	rundll32.exe	wermgr.exe
PID 468 wrote to memory of 2020	468	rundll32.exe	wermgr.exe
PID 468 wrote to memory of 2020	468	rundll32.exe	wermgr.exe
PID 468 wrote to memory of 2020	468	rundll32.exe	wermgr.exe
PID 468 wrote to memory of 2020	468	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d.dll,#1
2⤵
PID:1472

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\system32\rundll32.exe
rundll32.exe d.dll,Wind
2⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe d.dll,Wind
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
PID:608

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Windows\system32\rundll32.exe
rundll32.exe d.dll,Wind
2⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe d.dll,Wind
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
PID:1696

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
PID:2020

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d.dll
Filesize
4KB

MD5
2df025b80d2f6e564d0552ee8c2f136f

SHA1
fb5aee23cfb62c26ba4e3d870c9955a70d7bd27b

SHA256
b531d617effa5e6b5230cf5ad95362ed66bfbe28951d4b57c64beb63a1275791

SHA512
6923a2d07947f6251d3637951e18cc5141cef646b69ad7f4074e0912338ccf291a354d0691b7f94a2d2e46116864c771f8b87dbf0f7a1aca7e99cf621e35cb86

Download Submit
\Users\Admin\AppData\Local\Temp\5D485A49.dll
Filesize
268KB

MD5
53bb811ed12d2c867b354390fabf9612

SHA1
81b29c540c0e2a09385cf7e821639ff64fbffd91

SHA256
a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133

SHA512
5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24

Download Submit
\Users\Admin\AppData\Local\Temp\76A3B2D1.dll
Filesize
268KB

MD5
53bb811ed12d2c867b354390fabf9612

SHA1
81b29c540c0e2a09385cf7e821639ff64fbffd91

SHA256
a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133

SHA512
5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24

Download Submit
\Users\Admin\AppData\Local\Temp\B31D4DC1.dll
Filesize
268KB

MD5
53bb811ed12d2c867b354390fabf9612

SHA1
81b29c540c0e2a09385cf7e821639ff64fbffd91

SHA256
a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133

SHA512
5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24

Download Submit
\Users\Admin\AppData\Local\Temp\CABC541A.dll
Filesize
268KB

MD5
53bb811ed12d2c867b354390fabf9612

SHA1
81b29c540c0e2a09385cf7e821639ff64fbffd91

SHA256
a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133

SHA512
5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24

Download Submit
memory/468-65-0x0000000000000000-mapping.dmp

Download
memory/760-64-0x0000000000000000-mapping.dmp

Download
memory/1472-55-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1472-54-0x0000000000000000-mapping.dmp

Download
memory/1516-56-0x0000000000000000-mapping.dmp

Download
memory/1536-74-0x0000000000000000-mapping.dmp

Download
memory/1536-76-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1536-83-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/2020-79-0x0000000000000000-mapping.dmp

Download
memory/2020-82-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/2036-59-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/2036-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing