qakbot | c6fc61f377b5822bab522852efbb1c440639a26de2943e934a3af8878fb67b8a

Analysis

max time kernel
99s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
09-02-2023 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

publish/eardrum.dll
Size

472KB
MD5

f24a452723c7e5d1f85eab7f5ec7ecd9
SHA1

2596f834041095c888b45e61ca48df3d4ce3a99d
SHA256

1abc2fb23f55378947bf528996b50ffed195a059d5f7b537271792704eb5cd4c
SHA512

a366c9f17df14ac093ea41ec248476a02b70051efacfe4fd654ef5461200bff18dc653d852eb4e2ee8eb722bd3917055bcf85c923dd46e8c262107f71045d56f
SSDEEP

6144:icJ88bsBZpZKeiJb1pPMkKvHrdTcf7CsHW8kYTRapUQsJT8Td++seeAOA0Y:VJDoBZjFibAOTCs28k2gN/rea0Y

Score

10^/10

qakbot bb 1664801691 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.902

Botnet

Campaign

1664801691

160.179.220.87:995

186.86.212.138:443

180.180.213.94:995

186.125.93.28:443

31.167.72.198:443

78.162.213.155:443

46.10.105.160:443

41.105.54.8:443

41.108.175.56:443

188.156.85.37:443

94.52.127.44:443

79.168.151.143:443

189.79.27.174:995

179.178.249.16:443

23.225.104.250:443

134.35.11.71:443

197.204.126.136:443

197.205.168.243:443

58.186.75.42:443

41.96.18.5:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid process

1232 regsvr32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

1232 regsvr32.exe

pid	process
1232	regsvr32.exe

pid	process
1232	regsvr32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1388 wrote to memory of 1232	1388	regsvr32.exe	regsvr32.exe
PID 1388 wrote to memory of 1232	1388	regsvr32.exe	regsvr32.exe
PID 1388 wrote to memory of 1232	1388	regsvr32.exe	regsvr32.exe
PID 1388 wrote to memory of 1232	1388	regsvr32.exe	regsvr32.exe
PID 1388 wrote to memory of 1232	1388	regsvr32.exe	regsvr32.exe
PID 1388 wrote to memory of 1232	1388	regsvr32.exe	regsvr32.exe
PID 1388 wrote to memory of 1232	1388	regsvr32.exe	regsvr32.exe
PID 1232 wrote to memory of 692	1232	regsvr32.exe	wermgr.exe
PID 1232 wrote to memory of 692	1232	regsvr32.exe	wermgr.exe
PID 1232 wrote to memory of 692	1232	regsvr32.exe	wermgr.exe
PID 1232 wrote to memory of 692	1232	regsvr32.exe	wermgr.exe
PID 1232 wrote to memory of 692	1232	regsvr32.exe	wermgr.exe
PID 1232 wrote to memory of 692	1232	regsvr32.exe	wermgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\publish\eardrum.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\publish\eardrum.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
PID:692

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/692-59-0x0000000000000000-mapping.dmp

Download
memory/692-61-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1232-55-0x0000000000000000-mapping.dmp

Download
memory/1232-56-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1232-57-0x00000000004A0000-0x0000000000520000-memory.dmp

Filesize
512KB

Download
memory/1232-58-0x00000000004A0000-0x0000000000520000-memory.dmp

Filesize
512KB

Download
memory/1388-54-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmp

Filesize
8KB

Download