qakbot | 42f6bdd20fcba580845c8d2b068770295285c80afa76207e62c46daa4d49ac4c

Resubmissions

01-02-2023 16:08

230201-tldxdsaf27 10

01-02-2023 16:02

230201-tg48saae85 1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2023 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OI.dll
Size

669KB
MD5

8b2cb58900ed9236439391ce26b563b5
SHA1

9169878c612fa655a6d5fb04ee889cff2c7365b8
SHA256

42f6bdd20fcba580845c8d2b068770295285c80afa76207e62c46daa4d49ac4c
SHA512

b7c6e0c194d470cee85e7611fd893a1832afff5b39493d57e79d6d24ba19c8875313d39f5427d9585df2929f0847a1d5abf275893d51a29527f054e94665c30b
SSDEEP

12288:ubjQRl3iZwl3JBrySD9CkkqC28DWl0RJK2LgAN4c1DZx+vaPpsnRl83+u:uHWZiZCCMCkkbRDeSjcjc1DZUyBsRa

Score

10^/10

qakbot bb12 1675243711 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.438

Botnet

BB12

Campaign

1675243711

12.172.173.82:2087

95.94.41.77:2222

73.22.121.210:443

200.109.207.186:2222

75.143.236.149:443

69.133.162.35:443

197.148.17.17:2078

82.36.36.76:443

27.0.48.233:443

90.162.45.154:2222

125.20.112.94:443

150.107.231.59:2222

91.82.5.101:443

217.128.91.196:2222

73.161.176.218:443

50.60.157.175:995

190.199.188.186:2222

93.147.235.8:443

183.87.163.165:443

82.121.195.187:2222

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

2156 rundll32.exe
2156 rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
2156	rundll32.exe
2156	rundll32.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe
3132	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

2156 rundll32.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.execmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 4804 wrote to memory of 4728	4804	rundll32.exe	rundll32.exe
PID 4804 wrote to memory of 4728	4804	rundll32.exe	rundll32.exe
PID 4804 wrote to memory of 4728	4804	rundll32.exe	rundll32.exe
PID 3356 wrote to memory of 1456	3356	cmd.exe	rundll32.exe
PID 3356 wrote to memory of 1456	3356	cmd.exe	rundll32.exe
PID 1456 wrote to memory of 2156	1456	rundll32.exe	rundll32.exe
PID 1456 wrote to memory of 2156	1456	rundll32.exe	rundll32.exe
PID 1456 wrote to memory of 2156	1456	rundll32.exe	rundll32.exe
PID 2156 wrote to memory of 4672	2156	rundll32.exe	wermgr.exe
PID 2156 wrote to memory of 4672	2156	rundll32.exe	wermgr.exe
PID 2156 wrote to memory of 4672	2156	rundll32.exe	wermgr.exe
PID 2156 wrote to memory of 3132	2156	rundll32.exe	wermgr.exe
PID 2156 wrote to memory of 3132	2156	rundll32.exe	wermgr.exe
PID 2156 wrote to memory of 3132	2156	rundll32.exe	wermgr.exe
PID 2156 wrote to memory of 3132	2156	rundll32.exe	wermgr.exe
PID 2156 wrote to memory of 3132	2156	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\OI.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\OI.dll,#1
2⤵
PID:4728

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\System32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\OI.dll,Wind
2⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\OI.dll,Wind
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
PID:4672

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5E460C92.dll
Filesize
2.1MB

MD5
f530495445432d6ae00f2b0f08f7c804

SHA1
f66f538b95b1a924c8392fbe7743d193d78eb50c

SHA256
5cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b

SHA512
2b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\F48BF3EE.dll
Filesize
2.1MB

MD5
f530495445432d6ae00f2b0f08f7c804

SHA1
f66f538b95b1a924c8392fbe7743d193d78eb50c

SHA256
5cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b

SHA512
2b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8

Download Submit
memory/1456-133-0x0000000000000000-mapping.dmp

Download
memory/2156-134-0x0000000000000000-mapping.dmp

Download
memory/2156-135-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/3132-142-0x0000000000000000-mapping.dmp

Download
memory/3132-143-0x0000000000FD0000-0x0000000000FF3000-memory.dmp

Filesize
140KB

Download
memory/3132-144-0x0000000000FD0000-0x0000000000FF3000-memory.dmp

Filesize
140KB

Download
memory/4728-132-0x0000000000000000-mapping.dmp

Download