qakbot | 26a5c35034800e786a979358b4cd86cc15ddef9abdf711fd2d3cd38ba59ee4c2

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2023 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.png.dll
Size

464KB
MD5

4a1fbd71010494ad1cb579cd6c395c80
SHA1

fd97b9875641a5eb8b95b716fb17d1d36ff81afd
SHA256

26a5c35034800e786a979358b4cd86cc15ddef9abdf711fd2d3cd38ba59ee4c2
SHA512

0de3b1d693ccc0053ddeb2dc15bb5f0f3bcea47ee3168f8e37202b52bbee482ba1385827954200e814f9c418d4c946dd2b5262ca9984a45075410fbce2bcb79d
SSDEEP

6144:C3P9EKUug7ptz0KE05TG2mLsh0H7wiWsxhQsjdDKlos8Wno8Kdygm/K+VybKK:iEKU/I8kLFUi/sRJKYK+4bKK

Score

10^/10

qakbot bb12 1675352134 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.432

Botnet

BB12

Campaign

1675352134

213.67.255.57:2222

86.96.72.139:2222

119.82.122.226:443

86.96.34.182:2222

12.172.173.82:50001

107.146.12.26:2222

97.116.78.96:443

47.61.70.188:2078

197.148.17.17:2078

82.127.204.82:2222

82.121.195.187:2222

73.155.10.79:443

91.231.173.199:995

86.196.12.21:2222

90.78.51.182:2222

90.165.109.4:2222

202.186.177.88:443

92.27.86.48:2222

88.171.156.150:50000

78.130.215.67:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Loads dropped DLL 2 IoCs

pid	Process
1996	rundll32.exe
1996	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1996	rundll32.exe
1996	rundll32.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe
3832	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1996	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1996	2412	rundll32.exe	79
PID 2412 wrote to memory of 1996	2412	rundll32.exe	79
PID 2412 wrote to memory of 1996	2412	rundll32.exe	79
PID 1996 wrote to memory of 4332	1996	rundll32.exe	80
PID 1996 wrote to memory of 4332	1996	rundll32.exe	80
PID 1996 wrote to memory of 4332	1996	rundll32.exe	80
PID 1996 wrote to memory of 3832	1996	rundll32.exe	81
PID 1996 wrote to memory of 3832	1996	rundll32.exe	81
PID 1996 wrote to memory of 3832	1996	rundll32.exe	81
PID 1996 wrote to memory of 3832	1996	rundll32.exe	81
PID 1996 wrote to memory of 3832	1996	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.png.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.png.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5E194ECA.dll

Filesize
2.1MB

MD5
f530495445432d6ae00f2b0f08f7c804

SHA1
f66f538b95b1a924c8392fbe7743d193d78eb50c

SHA256
5cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b

SHA512
2b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\65CA5682.dll

Filesize
2.1MB

MD5
f530495445432d6ae00f2b0f08f7c804

SHA1
f66f538b95b1a924c8392fbe7743d193d78eb50c

SHA256
5cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b

SHA512
2b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8

Download Submit
memory/1996-132-0x0000000000000000-mapping.dmp

Download
memory/1996-133-0x0000000002E50000-0x0000000002EB9000-memory.dmp

Filesize
420KB

Download
memory/1996-134-0x0000000002F10000-0x0000000002F33000-memory.dmp

Filesize
140KB

Download
memory/1996-138-0x0000000002F10000-0x0000000002F33000-memory.dmp

Filesize
140KB

Download
memory/3832-137-0x0000000000000000-mapping.dmp

Download
memory/3832-139-0x00000000010D0000-0x00000000010F3000-memory.dmp

Filesize
140KB

Download
memory/3832-140-0x00000000010D0000-0x00000000010F3000-memory.dmp

Filesize
140KB

Download