qakbot | 42f6bdd20fcba580845c8d2b068770295285c80afa76207e62c46daa4d49ac4c

Resubmissions

01-02-2023 16:08

230201-tldxdsaf27 10

01-02-2023 16:02

230201-tg48saae85 1

Analysis

max time kernel
270s
max time network
106s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-02-2023 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OI.dll
Size

669KB
MD5

8b2cb58900ed9236439391ce26b563b5
SHA1

9169878c612fa655a6d5fb04ee889cff2c7365b8
SHA256

42f6bdd20fcba580845c8d2b068770295285c80afa76207e62c46daa4d49ac4c
SHA512

b7c6e0c194d470cee85e7611fd893a1832afff5b39493d57e79d6d24ba19c8875313d39f5427d9585df2929f0847a1d5abf275893d51a29527f054e94665c30b
SSDEEP

12288:ubjQRl3iZwl3JBrySD9CkkqC28DWl0RJK2LgAN4c1DZx+vaPpsnRl83+u:uHWZiZCCMCkkbRDeSjcjc1DZUyBsRa

Score

10^/10

qakbot bb12 1675243711 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.438

Botnet

BB12

Campaign

1675243711

12.172.173.82:2087

95.94.41.77:2222

73.22.121.210:443

200.109.207.186:2222

75.143.236.149:443

69.133.162.35:443

197.148.17.17:2078

82.36.36.76:443

27.0.48.233:443

90.162.45.154:2222

125.20.112.94:443

150.107.231.59:2222

91.82.5.101:443

217.128.91.196:2222

73.161.176.218:443

50.60.157.175:995

190.199.188.186:2222

93.147.235.8:443

183.87.163.165:443

82.121.195.187:2222

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Loads dropped DLL 2 IoCs

pid	Process
1516	rundll32.exe
1516	rundll32.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
1516	rundll32.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe
1764	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1516	rundll32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2012	1680	rundll32.exe	28
PID 1680 wrote to memory of 2012	1680	rundll32.exe	28
PID 1680 wrote to memory of 2012	1680	rundll32.exe	28
PID 1680 wrote to memory of 2012	1680	rundll32.exe	28
PID 1680 wrote to memory of 2012	1680	rundll32.exe	28
PID 1680 wrote to memory of 2012	1680	rundll32.exe	28
PID 1680 wrote to memory of 2012	1680	rundll32.exe	28
PID 1332 wrote to memory of 2032	1332	cmd.exe	31
PID 1332 wrote to memory of 2032	1332	cmd.exe	31
PID 1332 wrote to memory of 2032	1332	cmd.exe	31
PID 1332 wrote to memory of 376	1332	cmd.exe	32
PID 1332 wrote to memory of 376	1332	cmd.exe	32
PID 1332 wrote to memory of 376	1332	cmd.exe	32
PID 376 wrote to memory of 1516	376	rundll32.exe	33
PID 376 wrote to memory of 1516	376	rundll32.exe	33
PID 376 wrote to memory of 1516	376	rundll32.exe	33
PID 376 wrote to memory of 1516	376	rundll32.exe	33
PID 376 wrote to memory of 1516	376	rundll32.exe	33
PID 376 wrote to memory of 1516	376	rundll32.exe	33
PID 376 wrote to memory of 1516	376	rundll32.exe	33
PID 1516 wrote to memory of 1828	1516	rundll32.exe	34
PID 1516 wrote to memory of 1828	1516	rundll32.exe	34
PID 1516 wrote to memory of 1828	1516	rundll32.exe	34
PID 1516 wrote to memory of 1828	1516	rundll32.exe	34
PID 1516 wrote to memory of 1764	1516	rundll32.exe	35
PID 1516 wrote to memory of 1764	1516	rundll32.exe	35
PID 1516 wrote to memory of 1764	1516	rundll32.exe	35
PID 1516 wrote to memory of 1764	1516	rundll32.exe	35
PID 1516 wrote to memory of 1764	1516	rundll32.exe	35
PID 1516 wrote to memory of 1764	1516	rundll32.exe	35

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\OI.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\OI.dll,#1
  2⤵
  PID:2012

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1332
- \??\c:\Windows\System32\rundll32.exe
  rundll32.exe
  2⤵
  PID:2032
- \??\c:\Windows\System32\rundll32.exe
  rundll32.exe c:\Users\Admin\AppData\Local\Temp\OI.dll,Wind
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe c:\Users\Admin\AppData\Local\Temp\OI.dll,Wind
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\SysWOW64\wermgr.exe
      C:\Windows\SysWOW64\wermgr.exe
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\wermgr.exe
      C:\Windows\SysWOW64\wermgr.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\A8DA4333.dll

Filesize
268KB

MD5
53bb811ed12d2c867b354390fabf9612

SHA1
81b29c540c0e2a09385cf7e821639ff64fbffd91

SHA256
a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133

SHA512
5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24

Download Submit
\Users\Admin\AppData\Local\Temp\F251CF77.dll

Filesize
268KB

MD5
53bb811ed12d2c867b354390fabf9612

SHA1
81b29c540c0e2a09385cf7e821639ff64fbffd91

SHA256
a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133

SHA512
5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24

Download Submit
memory/376-57-0x0000000000000000-mapping.dmp

Download
memory/1516-58-0x0000000000000000-mapping.dmp

Download
memory/1516-60-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/1764-67-0x0000000000000000-mapping.dmp

Download
memory/1764-69-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1764-70-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/2012-54-0x0000000000000000-mapping.dmp

Download
memory/2012-55-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/2032-56-0x0000000000000000-mapping.dmp

Download