qakbot | 0044d0aaf66f8d9906c67f67299477cac6f1bce839ac13e1821d076f19386c9b

Analysis

max time kernel
60s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
16-02-2023 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test/RunDLL-1.bat
Size

86B
MD5

7494c8340529f58d89ab1c4a6eb86e39
SHA1

1dd9fee6644ed163999ccd20f750d84d08aa360f
SHA256

587c6243af6bfb7a06ec5503fbe2cc6eb36cf3f31a80fe1df501294293f17e7a
SHA512

afc46cdb9a2c83083e12c924f998fcc77bbb053bcb629e4eaf7ea185950005bcf3e4f2a9ee45d1adb2c1ef0236c8427f8a9f64f926309d12d4dcd30af2790d7c

Score

10^/10

qakbot azd 1676370608 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.506

Botnet

azd

Campaign

1676370608

85.59.61.52:2222

216.228.41.244:2222

174.58.146.57:443

103.42.86.110:995

147.219.4.194:443

89.32.157.195:995

76.80.180.154:995

79.67.165.149:995

71.31.101.183:443

198.2.51.242:993

88.111.182.118:2222

72.203.216.98:2222

72.80.7.6:995

12.172.173.82:32101

50.68.204.71:995

209.142.97.83:995

82.121.195.187:2222

81.229.117.95:2222

171.96.205.252:443

37.14.229.220:2222

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2412 1580 WerFault.exe wermgr.exe

pid	pid_target	process	target process
2412	1580	WerFault.exe	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exemsra.exe

pid	process
4932	rundll32.exe
4932	rundll32.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe
176	msra.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exe

pid process

4932 rundll32.exe
4932 rundll32.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 4872 wrote to memory of 4844	4872	cmd.exe	rundll32.exe
PID 4872 wrote to memory of 4844	4872	cmd.exe	rundll32.exe
PID 4844 wrote to memory of 4932	4844	rundll32.exe	rundll32.exe
PID 4844 wrote to memory of 4932	4844	rundll32.exe	rundll32.exe
PID 4844 wrote to memory of 4932	4844	rundll32.exe	rundll32.exe
PID 4932 wrote to memory of 1472	4932	rundll32.exe	wermgr.exe
PID 4932 wrote to memory of 1472	4932	rundll32.exe	wermgr.exe
PID 4932 wrote to memory of 1472	4932	rundll32.exe	wermgr.exe
PID 4932 wrote to memory of 1580	4932	rundll32.exe	wermgr.exe
PID 4932 wrote to memory of 1580	4932	rundll32.exe	wermgr.exe
PID 4932 wrote to memory of 1580	4932	rundll32.exe	wermgr.exe
PID 4932 wrote to memory of 1580	4932	rundll32.exe	wermgr.exe
PID 4932 wrote to memory of 1580	4932	rundll32.exe	wermgr.exe
PID 4932 wrote to memory of 176	4932	rundll32.exe	msra.exe
PID 4932 wrote to memory of 176	4932	rundll32.exe	msra.exe
PID 4932 wrote to memory of 176	4932	rundll32.exe	msra.exe
PID 4932 wrote to memory of 176	4932	rundll32.exe	msra.exe
PID 4932 wrote to memory of 176	4932	rundll32.exe	msra.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test\RunDLL-1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\system32\rundll32.exe
rundll32.exe e93e14b1a7419bdc3158b88c4a91363891c2419f3581ba7f888e22ad6725b5c7.dll,Wind
2⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe e93e14b1a7419bdc3158b88c4a91363891c2419f3581ba7f888e22ad6725b5c7.dll,Wind
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
PID:1472

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 352
5⤵
- Program crash
PID:2412

C:\Windows\SysWOW64\msra.exe
C:\Windows\SysWOW64\msra.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1580 -ip 1580
1⤵
PID:4600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/176-141-0x0000000000000000-mapping.dmp

Download
memory/176-142-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/176-143-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/1580-140-0x0000000000000000-mapping.dmp

Download
memory/4844-132-0x0000000000000000-mapping.dmp

Download
memory/4932-133-0x0000000000000000-mapping.dmp

Download
memory/4932-134-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/4932-139-0x0000000001370000-0x0000000001373000-memory.dmp

Filesize
12KB

Download