qakbot | f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

r.dll
Size

1.7MB
MD5

69db4be25c1611c17e00603c6aa2e8bb
SHA1

4044d9b57187ff5179f0d4cc51e849de57c73ded
SHA256

f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
SHA512

1fb9df575228442f941f5c568a105f4305f046229b3f076691d87ef7bd7f88d3e0ba2906d67d3dc8a6fa724b7e89186d979381de24dd48752313a1c958280418
SSDEEP

24576:nrj3nPW3ednWPiT8VTBqcATV8KIyydLXGcq8z+0uaEYmgE7v99de7:f3nCeCiT8aHxyM18z+XatEh9de

Score

10^/10

qakbot bb12 1675417198 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.432

Botnet

BB12

Campaign

1675417198

12.172.173.82:995

12.172.173.82:2087

50.68.204.71:443

84.215.202.22:443

98.175.176.254:995

184.155.91.69:443

50.68.186.195:443

183.87.163.165:443

172.248.42.122:443

93.156.100.20:443

102.156.32.143:443

50.60.157.175:995

75.143.236.149:443

69.133.162.35:443

105.184.159.165:995

130.43.172.217:2222

82.36.36.76:443

73.223.248.31:443

202.142.98.62:443

73.161.176.218:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Loads dropped DLL 2 IoCs

pid	Process
3444	rundll32.exe
3444	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2476	3940	WerFault.exe	82
3920	5052	WerFault.exe	14

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3444	rundll32.exe
3444	rundll32.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe
1812	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3444	rundll32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 3940	1772	rundll32.exe	82
PID 1772 wrote to memory of 3940	1772	rundll32.exe	82
PID 1772 wrote to memory of 3940	1772	rundll32.exe	82
PID 2864 wrote to memory of 2248	2864	cmd.exe	103
PID 2864 wrote to memory of 2248	2864	cmd.exe	103
PID 2248 wrote to memory of 3444	2248	rundll32.exe	104
PID 2248 wrote to memory of 3444	2248	rundll32.exe	104
PID 2248 wrote to memory of 3444	2248	rundll32.exe	104
PID 3444 wrote to memory of 4952	3444	rundll32.exe	105
PID 3444 wrote to memory of 4952	3444	rundll32.exe	105
PID 3444 wrote to memory of 4952	3444	rundll32.exe	105
PID 3444 wrote to memory of 1812	3444	rundll32.exe	106
PID 3444 wrote to memory of 1812	3444	rundll32.exe	106
PID 3444 wrote to memory of 1812	3444	rundll32.exe	106
PID 3444 wrote to memory of 1812	3444	rundll32.exe	106
PID 3444 wrote to memory of 1812	3444	rundll32.exe	106

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\r.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\r.dll,#1
  2⤵
  PID:3940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 600
    3⤵
    - Program crash
    PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3940 -ip 3940
1⤵
PID:2280

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\system32\rundll32.exe
  rundll32.exe r.dll,Wind
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe r.dll,Wind
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Windows\SysWOW64\wermgr.exe
      C:\Windows\SysWOW64\wermgr.exe
      4⤵
      PID:4952
  - - C:\Windows\SysWOW64\wermgr.exe
      C:\Windows\SysWOW64\wermgr.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 5052 -ip 5052
1⤵
PID:3760

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5052 -s 788
1⤵
- Program crash
PID:3920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5EEBDDAD.dll

Filesize
2.1MB

MD5
f530495445432d6ae00f2b0f08f7c804

SHA1
f66f538b95b1a924c8392fbe7743d193d78eb50c

SHA256
5cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b

SHA512
2b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BF2D3E0.dll

Filesize
2.1MB

MD5
f530495445432d6ae00f2b0f08f7c804

SHA1
f66f538b95b1a924c8392fbe7743d193d78eb50c

SHA256
5cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b

SHA512
2b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8

Download Submit
memory/1812-143-0x0000000000640000-0x0000000000663000-memory.dmp

Filesize
140KB

Download
memory/1812-144-0x0000000000640000-0x0000000000663000-memory.dmp

Filesize
140KB

Download
memory/3444-135-0x0000000002610000-0x0000000002633000-memory.dmp

Filesize
140KB

Download