qakbot | 0044d0aaf66f8d9906c67f67299477cac6f1bce839ac13e1821d076f19386c9b

General

Target

test/RunDLL-1.bat
Size

86B
MD5

7494c8340529f58d89ab1c4a6eb86e39
SHA1

1dd9fee6644ed163999ccd20f750d84d08aa360f
SHA256

587c6243af6bfb7a06ec5503fbe2cc6eb36cf3f31a80fe1df501294293f17e7a
SHA512

afc46cdb9a2c83083e12c924f998fcc77bbb053bcb629e4eaf7ea185950005bcf3e4f2a9ee45d1adb2c1ef0236c8427f8a9f64f926309d12d4dcd30af2790d7c

Score

10^/10

qakbot azd 1676370608 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.506

Botnet

azd

Campaign

1676370608

C2

85.59.61.52:2222

216.228.41.244:2222

174.58.146.57:443

103.42.86.110:995

147.219.4.194:443

89.32.157.195:995

76.80.180.154:995

79.67.165.149:995

71.31.101.183:443

198.2.51.242:993

88.111.182.118:2222

72.203.216.98:2222

72.80.7.6:995

12.172.173.82:32101

50.68.204.71:995

209.142.97.83:995

82.121.195.187:2222

81.229.117.95:2222

171.96.205.252:443

37.14.229.220:2222

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2040 1048 WerFault.exe wermgr.exe

pid	pid_target	process	target process
2040	1048	WerFault.exe	wermgr.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

rundll32.exemsra.exe

pid	process
980	rundll32.exe
880	msra.exe
880	msra.exe
880	msra.exe
880	msra.exe
880	msra.exe
880	msra.exe
880	msra.exe
880	msra.exe
880	msra.exe
880	msra.exe
880	msra.exe
880	msra.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exe

pid process

980 rundll32.exe
980 rundll32.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

cmd.exerundll32.exerundll32.exewermgr.exe

description	pid	process	target process
PID 1664 wrote to memory of 1712	1664	cmd.exe	rundll32.exe
PID 1664 wrote to memory of 1712	1664	cmd.exe	rundll32.exe
PID 1664 wrote to memory of 1712	1664	cmd.exe	rundll32.exe
PID 1712 wrote to memory of 980	1712	rundll32.exe	rundll32.exe
PID 1712 wrote to memory of 980	1712	rundll32.exe	rundll32.exe
PID 1712 wrote to memory of 980	1712	rundll32.exe	rundll32.exe
PID 1712 wrote to memory of 980	1712	rundll32.exe	rundll32.exe
PID 1712 wrote to memory of 980	1712	rundll32.exe	rundll32.exe
PID 1712 wrote to memory of 980	1712	rundll32.exe	rundll32.exe
PID 1712 wrote to memory of 980	1712	rundll32.exe	rundll32.exe
PID 980 wrote to memory of 2044	980	rundll32.exe	wermgr.exe
PID 980 wrote to memory of 2044	980	rundll32.exe	wermgr.exe
PID 980 wrote to memory of 2044	980	rundll32.exe	wermgr.exe
PID 980 wrote to memory of 2044	980	rundll32.exe	wermgr.exe
PID 980 wrote to memory of 1048	980	rundll32.exe	wermgr.exe
PID 980 wrote to memory of 1048	980	rundll32.exe	wermgr.exe
PID 980 wrote to memory of 1048	980	rundll32.exe	wermgr.exe
PID 980 wrote to memory of 1048	980	rundll32.exe	wermgr.exe
PID 980 wrote to memory of 1048	980	rundll32.exe	wermgr.exe
PID 980 wrote to memory of 1048	980	rundll32.exe	wermgr.exe
PID 1048 wrote to memory of 2040	1048	wermgr.exe	WerFault.exe
PID 1048 wrote to memory of 2040	1048	wermgr.exe	WerFault.exe
PID 1048 wrote to memory of 2040	1048	wermgr.exe	WerFault.exe
PID 1048 wrote to memory of 2040	1048	wermgr.exe	WerFault.exe
PID 980 wrote to memory of 880	980	rundll32.exe	msra.exe
PID 980 wrote to memory of 880	980	rundll32.exe	msra.exe
PID 980 wrote to memory of 880	980	rundll32.exe	msra.exe
PID 980 wrote to memory of 880	980	rundll32.exe	msra.exe
PID 980 wrote to memory of 880	980	rundll32.exe	msra.exe
PID 980 wrote to memory of 880	980	rundll32.exe	msra.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\test\RunDLL-1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\system32\rundll32.exe
rundll32.exe e93e14b1a7419bdc3158b88c4a91363891c2419f3581ba7f888e22ad6725b5c7.dll,Wind
2⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe e93e14b1a7419bdc3158b88c4a91363891c2419f3581ba7f888e22ad6725b5c7.dll,Wind
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
PID:2044

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 156
5⤵
- Program crash
PID:2040

C:\Windows\SysWOW64\msra.exe
C:\Windows\SysWOW64\msra.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:880

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/880-67-0x0000000000000000-mapping.dmp

Download
memory/880-69-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/880-70-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/980-55-0x0000000000000000-mapping.dmp

Download
memory/980-56-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/980-57-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/980-62-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download
memory/980-63-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download
memory/1048-64-0x0000000000000000-mapping.dmp

Download
memory/1712-54-0x0000000000000000-mapping.dmp

Download
memory/2040-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing