qakbot | 504d1d0d80751825c8a2a2994b0a5a2ae65ae7072838b3ef144e0991c540fe09

Analysis

max time kernel
150s
max time network
149s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
09-02-2023 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

publish/eardrum.dll
Size

472KB
MD5

f24a452723c7e5d1f85eab7f5ec7ecd9
SHA1

2596f834041095c888b45e61ca48df3d4ce3a99d
SHA256

1abc2fb23f55378947bf528996b50ffed195a059d5f7b537271792704eb5cd4c
SHA512

a366c9f17df14ac093ea41ec248476a02b70051efacfe4fd654ef5461200bff18dc653d852eb4e2ee8eb722bd3917055bcf85c923dd46e8c262107f71045d56f
SSDEEP

6144:icJ88bsBZpZKeiJb1pPMkKvHrdTcf7CsHW8kYTRapUQsJT8Td++seeAOA0Y:VJDoBZjFibAOTCs28k2gN/rea0Y

Score

10^/10

qakbot bb 1664801691 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.902

Botnet

Campaign

1664801691

160.179.220.87:995

186.86.212.138:443

180.180.213.94:995

186.125.93.28:443

31.167.72.198:443

78.162.213.155:443

46.10.105.160:443

41.105.54.8:443

41.108.175.56:443

188.156.85.37:443

94.52.127.44:443

79.168.151.143:443

189.79.27.174:995

179.178.249.16:443

23.225.104.250:443

134.35.11.71:443

197.204.126.136:443

197.205.168.243:443

58.186.75.42:443

41.96.18.5:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exewermgr.exe

pid	process
3156	regsvr32.exe
3156	regsvr32.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe
4100	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

3156 regsvr32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 4956 wrote to memory of 3156	4956	regsvr32.exe	regsvr32.exe
PID 4956 wrote to memory of 3156	4956	regsvr32.exe	regsvr32.exe
PID 4956 wrote to memory of 3156	4956	regsvr32.exe	regsvr32.exe
PID 3156 wrote to memory of 4100	3156	regsvr32.exe	wermgr.exe
PID 3156 wrote to memory of 4100	3156	regsvr32.exe	wermgr.exe
PID 3156 wrote to memory of 4100	3156	regsvr32.exe	wermgr.exe
PID 3156 wrote to memory of 4100	3156	regsvr32.exe	wermgr.exe
PID 3156 wrote to memory of 4100	3156	regsvr32.exe	wermgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\publish\eardrum.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\publish\eardrum.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4100

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3156-116-0x0000000000000000-mapping.dmp

Download
memory/3156-117-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-118-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-119-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-120-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-121-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-122-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-123-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-124-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-125-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-126-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-127-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-128-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-129-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-130-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-131-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-133-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-132-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-136-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-137-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-138-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-134-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-139-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-141-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-142-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-143-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-144-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-145-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-146-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-147-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-149-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-150-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-151-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-152-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-153-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-154-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-148-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-140-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-135-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-155-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-156-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-158-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-157-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-159-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-160-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-161-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-162-0x0000000000D30000-0x0000000000E7A000-memory.dmp

Filesize
1.3MB

Download
memory/3156-163-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-165-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-164-0x0000000000D30000-0x0000000000E7A000-memory.dmp

Filesize
1.3MB

Download
memory/3156-166-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-167-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-168-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-169-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4100-170-0x0000000000000000-mapping.dmp

Download
memory/4100-171-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4100-172-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4100-173-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4100-174-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4100-175-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4100-176-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4100-177-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4100-178-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4100-180-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4100-181-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4100-179-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4100-182-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4100-183-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4100-220-0x0000000002D10000-0x0000000002D32000-memory.dmp

Filesize
136KB

Download
memory/4100-228-0x0000000002D10000-0x0000000002D32000-memory.dmp

Filesize
136KB

Download