qakbot | 26a5c35034800e786a979358b4cd86cc15ddef9abdf711fd2d3cd38ba59ee4c2

General

Target

1.png.dll
Size

464KB
MD5

4a1fbd71010494ad1cb579cd6c395c80
SHA1

fd97b9875641a5eb8b95b716fb17d1d36ff81afd
SHA256

26a5c35034800e786a979358b4cd86cc15ddef9abdf711fd2d3cd38ba59ee4c2
SHA512

0de3b1d693ccc0053ddeb2dc15bb5f0f3bcea47ee3168f8e37202b52bbee482ba1385827954200e814f9c418d4c946dd2b5262ca9984a45075410fbce2bcb79d
SSDEEP

6144:C3P9EKUug7ptz0KE05TG2mLsh0H7wiWsxhQsjdDKlos8Wno8Kdygm/K+VybKK:iEKU/I8kLFUi/sRJKYK+4bKK

Score

10^/10

qakbot bb12 1675352134 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.432

Botnet

BB12

Campaign

1675352134

C2

213.67.255.57:2222

86.96.72.139:2222

119.82.122.226:443

86.96.34.182:2222

12.172.173.82:50001

107.146.12.26:2222

97.116.78.96:443

47.61.70.188:2078

197.148.17.17:2078

82.127.204.82:2222

82.121.195.187:2222

73.155.10.79:443

91.231.173.199:995

86.196.12.21:2222

90.78.51.182:2222

90.165.109.4:2222

202.186.177.88:443

92.27.86.48:2222

88.171.156.150:50000

78.130.215.67:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

1508 rundll32.exe
1508 rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
1508	rundll32.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe
1484	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1508 rundll32.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1612 wrote to memory of 1508	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 1508	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 1508	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 1508	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 1508	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 1508	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 1508	1612	rundll32.exe	rundll32.exe
PID 1508 wrote to memory of 1316	1508	rundll32.exe	wermgr.exe
PID 1508 wrote to memory of 1316	1508	rundll32.exe	wermgr.exe
PID 1508 wrote to memory of 1316	1508	rundll32.exe	wermgr.exe
PID 1508 wrote to memory of 1316	1508	rundll32.exe	wermgr.exe
PID 1508 wrote to memory of 1484	1508	rundll32.exe	wermgr.exe
PID 1508 wrote to memory of 1484	1508	rundll32.exe	wermgr.exe
PID 1508 wrote to memory of 1484	1508	rundll32.exe	wermgr.exe
PID 1508 wrote to memory of 1484	1508	rundll32.exe	wermgr.exe
PID 1508 wrote to memory of 1484	1508	rundll32.exe	wermgr.exe
PID 1508 wrote to memory of 1484	1508	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.png.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.png.dll,#1
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
PID:1316

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1484

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\13395813.dll
Filesize
268KB

MD5
53bb811ed12d2c867b354390fabf9612

SHA1
81b29c540c0e2a09385cf7e821639ff64fbffd91

SHA256
a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133

SHA512
5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24

Download Submit
\Users\Admin\AppData\Local\Temp\4A53C66B.dll
Filesize
268KB

MD5
53bb811ed12d2c867b354390fabf9612

SHA1
81b29c540c0e2a09385cf7e821639ff64fbffd91

SHA256
a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133

SHA512
5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24

Download Submit
memory/1484-60-0x0000000000000000-mapping.dmp

Download
memory/1484-63-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1484-64-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1508-54-0x0000000000000000-mapping.dmp

Download
memory/1508-55-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1508-56-0x0000000000790000-0x00000000007F9000-memory.dmp

Filesize
420KB

Download
memory/1508-57-0x00000000006F0000-0x0000000000713000-memory.dmp

Filesize
140KB

Download
memory/1508-62-0x00000000006F0000-0x0000000000713000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing