qakbot | 203b160ee2cd30fa77cbe788ca38dacae21f8982a869e9b8f3e687f62f37f0f6

Resubmissions

16/02/2023, 08:46

230216-kpe47age21 10

Analysis

max time kernel
149s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16/02/2023, 08:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aCl4V.dll
Size

582KB
MD5

fa8b96610ecc539feb879fa9a1754167
SHA1

6921caf3fc7e8b3d116b79fdd5003ba5900ad293
SHA256

203b160ee2cd30fa77cbe788ca38dacae21f8982a869e9b8f3e687f62f37f0f6
SHA512

3356d3149d85cfc22438702a17227e7bc583707f070051643dd6c6cd12129cb1eebbdb97e0705d2c0c431621e3238aac14d6b85aff7530593385f482922ca0c5
SSDEEP

12288:GZa7ZPnVubJS4NjeWC58ryBeLnr2zlTzZ:Ke5VuY1H8rGbTV

Score

10^/10

qakbot tzr06 1676466541 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.510

Botnet

tzr06

Campaign

1676466541

82.127.204.82:2222

183.87.163.165:443

50.68.204.71:443

162.248.14.107:443

75.98.154.19:443

86.130.9.232:2222

108.2.111.66:995

85.241.180.94:443

109.150.179.236:2222

73.29.92.128:443

190.206.75.58:2222

12.172.173.82:50001

35.143.97.145:995

174.104.184.149:443

12.172.173.82:995

76.170.252.153:995

73.161.176.218:443

65.190.242.244:443

87.202.101.164:50000

76.64.202.44:2222

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2044	2028	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1976	rundll32.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe
1720	msra.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1976	rundll32.exe
1976	rundll32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1976	1792	rundll32.exe	28
PID 1792 wrote to memory of 1976	1792	rundll32.exe	28
PID 1792 wrote to memory of 1976	1792	rundll32.exe	28
PID 1792 wrote to memory of 1976	1792	rundll32.exe	28
PID 1792 wrote to memory of 1976	1792	rundll32.exe	28
PID 1792 wrote to memory of 1976	1792	rundll32.exe	28
PID 1792 wrote to memory of 1976	1792	rundll32.exe	28
PID 1976 wrote to memory of 1748	1976	rundll32.exe	29
PID 1976 wrote to memory of 1748	1976	rundll32.exe	29
PID 1976 wrote to memory of 1748	1976	rundll32.exe	29
PID 1976 wrote to memory of 1748	1976	rundll32.exe	29
PID 1976 wrote to memory of 2028	1976	rundll32.exe	30
PID 1976 wrote to memory of 2028	1976	rundll32.exe	30
PID 1976 wrote to memory of 2028	1976	rundll32.exe	30
PID 1976 wrote to memory of 2028	1976	rundll32.exe	30
PID 1976 wrote to memory of 2028	1976	rundll32.exe	30
PID 1976 wrote to memory of 2028	1976	rundll32.exe	30
PID 2028 wrote to memory of 2044	2028	wermgr.exe	31
PID 2028 wrote to memory of 2044	2028	wermgr.exe	31
PID 2028 wrote to memory of 2044	2028	wermgr.exe	31
PID 2028 wrote to memory of 2044	2028	wermgr.exe	31
PID 1976 wrote to memory of 1720	1976	rundll32.exe	32
PID 1976 wrote to memory of 1720	1976	rundll32.exe	32
PID 1976 wrote to memory of 1720	1976	rundll32.exe	32
PID 1976 wrote to memory of 1720	1976	rundll32.exe	32
PID 1976 wrote to memory of 1720	1976	rundll32.exe	32
PID 1976 wrote to memory of 1720	1976	rundll32.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\aCl4V.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\aCl4V.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 156
      4⤵
      Program crash
      PID:2044
- - C:\Windows\SysWOW64\msra.exe
    C:\Windows\SysWOW64\msra.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-69-0x00000000000D0000-0x00000000000F3000-memory.dmp

Filesize
140KB

Download
memory/1720-68-0x00000000000D0000-0x00000000000F3000-memory.dmp

Filesize
140KB

Download
memory/1976-60-0x00000000002C0000-0x00000000002E4000-memory.dmp

Filesize
144KB

Download
memory/1976-59-0x0000000001D30000-0x0000000001D53000-memory.dmp

Filesize
140KB

Download
memory/1976-58-0x0000000001D30000-0x0000000001D53000-memory.dmp

Filesize
140KB

Download
memory/1976-61-0x0000000001D30000-0x0000000001D53000-memory.dmp

Filesize
140KB

Download
memory/1976-57-0x0000000001D30000-0x0000000001D53000-memory.dmp

Filesize
140KB

Download
memory/1976-67-0x0000000001D30000-0x0000000001D53000-memory.dmp

Filesize
140KB

Download
memory/1976-56-0x0000000000710000-0x00000000007A4000-memory.dmp

Filesize
592KB

Download
memory/1976-55-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download