qakbot | 232ec42b51df281533c557d9013aa5bbeff130bc6e0cb8de7ef1cf965ed81eb1

General

Target

01.gif.dll
Size

1.0MB
MD5

ddd09db61d8f6565ba41c20695ea3ac2
SHA1

7fe4eb7f1ccc59763e352defc3298f0c208f171b
SHA256

232ec42b51df281533c557d9013aa5bbeff130bc6e0cb8de7ef1cf965ed81eb1
SHA512

4850befa2db86aae62aa0ae951695cd16c54b749bd6de189966b0dc4e14db45e07e9203b07da8b5b1722864cfe4a243ee0de7afd7b95723505ea17eda7c3bc9e
SSDEEP

24576:aHjOfF1vLCeGI4e9GqEMAinTjc7c6LvWxGXaEA5:aAjDjt4cAAfc7bDWxGXw

Score

10^/10

qakbot bb12 1675326103 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.447

Botnet

BB12

Campaign

1675326103

C2

47.203.227.114:443

1.162.248.14:27393

187.1.1.90:26646

98.145.23.67:443

1.70.77.116:59649

187.0.1.74:8644

12.172.173.82:995

1.109.159.118:15368

187.1.1.182:46185

86.130.9.182:2222

1.217.128.91:50184

70.66.199.12:443

1.27.109.19:23048

209.1.1.184:39300

174.104.184.149:443

1.81.151.102:57345

187.1.1.47:8734

87.202.101.164:50000

1.73.165.119:5121

181.118.206.65:995

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

828 rundll32.exe
828 rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
828	rundll32.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

828 rundll32.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1716 wrote to memory of 828	1716	rundll32.exe	rundll32.exe
PID 1716 wrote to memory of 828	1716	rundll32.exe	rundll32.exe
PID 1716 wrote to memory of 828	1716	rundll32.exe	rundll32.exe
PID 1716 wrote to memory of 828	1716	rundll32.exe	rundll32.exe
PID 1716 wrote to memory of 828	1716	rundll32.exe	rundll32.exe
PID 1716 wrote to memory of 828	1716	rundll32.exe	rundll32.exe
PID 1716 wrote to memory of 828	1716	rundll32.exe	rundll32.exe
PID 828 wrote to memory of 1340	828	rundll32.exe	wermgr.exe
PID 828 wrote to memory of 1340	828	rundll32.exe	wermgr.exe
PID 828 wrote to memory of 1340	828	rundll32.exe	wermgr.exe
PID 828 wrote to memory of 1340	828	rundll32.exe	wermgr.exe
PID 828 wrote to memory of 1156	828	rundll32.exe	wermgr.exe
PID 828 wrote to memory of 1156	828	rundll32.exe	wermgr.exe
PID 828 wrote to memory of 1156	828	rundll32.exe	wermgr.exe
PID 828 wrote to memory of 1156	828	rundll32.exe	wermgr.exe
PID 828 wrote to memory of 1156	828	rundll32.exe	wermgr.exe
PID 828 wrote to memory of 1156	828	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\01.gif.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\01.gif.dll,#1
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
PID:1340

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1156

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\6E6CD3C4.dll
Filesize
268KB

MD5
53bb811ed12d2c867b354390fabf9612

SHA1
81b29c540c0e2a09385cf7e821639ff64fbffd91

SHA256
a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133

SHA512
5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24

Download Submit
\Users\Admin\AppData\Local\Temp\D5C894C0.dll
Filesize
268KB

MD5
53bb811ed12d2c867b354390fabf9612

SHA1
81b29c540c0e2a09385cf7e821639ff64fbffd91

SHA256
a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133

SHA512
5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24

Download Submit
memory/828-57-0x0000000000A20000-0x0000000000A5A000-memory.dmp

Filesize
232KB

Download
memory/828-54-0x0000000000000000-mapping.dmp

Download
memory/828-58-0x0000000000A20000-0x0000000000A5A000-memory.dmp

Filesize
232KB

Download
memory/828-59-0x0000000000A20000-0x0000000000A5A000-memory.dmp

Filesize
232KB

Download
memory/828-60-0x0000000000A20000-0x0000000000A5A000-memory.dmp

Filesize
232KB

Download
memory/828-61-0x0000000000920000-0x000000000096E000-memory.dmp

Filesize
312KB

Download
memory/828-62-0x0000000000A20000-0x0000000000A5A000-memory.dmp

Filesize
232KB

Download
memory/828-56-0x00000000007E0000-0x00000000008E6000-memory.dmp

Filesize
1.0MB

Download
memory/828-55-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/828-67-0x0000000000A20000-0x0000000000A5A000-memory.dmp

Filesize
232KB

Download
memory/1156-65-0x0000000000000000-mapping.dmp

Download
memory/1156-68-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/1156-69-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing