qakbot | 442420af4fc55164f5390ec68847bba4ae81d74534727975f47b7dd9d6dbdbe7

Resubmissions

06/03/2023, 21:16

230306-z4zjpsed2v 10

06/03/2023, 21:13

230306-z2z3fseh49 1

06/03/2023, 21:10

230306-zz5vxsec81 1

06/03/2023, 21:09

230306-zzqq1aeh44 1

Analysis

max time kernel
149s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/03/2023, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

another_new_qbot.dll
Size

592KB
MD5

e273bf8c8df8d32d7bca05db9b155803
SHA1

8b612f4f4a49e5cfa2057395fe3a0d0353f55b05
SHA256

442420af4fc55164f5390ec68847bba4ae81d74534727975f47b7dd9d6dbdbe7
SHA512

54dfdd1d5bd73abc897726c1b6bf89a2c7aa02c502564e264e57baea792235bd3757192bb1eddd848d43d0f49d9ecce4dd26cc871a4a20297f5b5857d3587443
SSDEEP

12288:dt1VOakzj7hpQynG+6g1zJACP406bvcgW+oMfu+3:dt/xk37hyyzl1BP4ftoeu+3

Score

10^/10

qakbot bb17 1677490643 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.66

Botnet

BB17

Campaign

1677490643

12.172.173.82:20

66.191.69.18:995

186.64.87.213:443

108.190.203.42:995

50.68.204.71:443

136.232.184.134:995

103.42.86.110:995

174.118.36.28:443

75.143.236.149:443

72.203.216.98:2222

85.241.180.94:443

197.92.136.122:443

72.200.109.104:443

85.152.152.46:443

102.156.252.46:443

12.172.173.82:995

2.99.47.198:2222

172.248.42.122:443

70.77.116.233:443

162.248.14.107:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
596	rundll32.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe
428	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
596	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1204	1760	rundll32.exe	28
PID 1760 wrote to memory of 1204	1760	rundll32.exe	28
PID 1760 wrote to memory of 1204	1760	rundll32.exe	28
PID 1760 wrote to memory of 1204	1760	rundll32.exe	28
PID 1760 wrote to memory of 1204	1760	rundll32.exe	28
PID 1760 wrote to memory of 1204	1760	rundll32.exe	28
PID 1760 wrote to memory of 1204	1760	rundll32.exe	28
PID 1652 wrote to memory of 776	1652	cmd.exe	31
PID 1652 wrote to memory of 776	1652	cmd.exe	31
PID 1652 wrote to memory of 776	1652	cmd.exe	31
PID 776 wrote to memory of 596	776	rundll32.exe	32
PID 776 wrote to memory of 596	776	rundll32.exe	32
PID 776 wrote to memory of 596	776	rundll32.exe	32
PID 776 wrote to memory of 596	776	rundll32.exe	32
PID 776 wrote to memory of 596	776	rundll32.exe	32
PID 776 wrote to memory of 596	776	rundll32.exe	32
PID 776 wrote to memory of 596	776	rundll32.exe	32
PID 596 wrote to memory of 428	596	rundll32.exe	33
PID 596 wrote to memory of 428	596	rundll32.exe	33
PID 596 wrote to memory of 428	596	rundll32.exe	33
PID 596 wrote to memory of 428	596	rundll32.exe	33
PID 596 wrote to memory of 428	596	rundll32.exe	33
PID 596 wrote to memory of 428	596	rundll32.exe	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\another_new_qbot.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\another_new_qbot.dll,#1
  2⤵
  PID:1204

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\System32\rundll32.exe
  C:\Windows\System32\rundll32.exe another_new_qbot.dll,N115
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\System32\rundll32.exe another_new_qbot.dll,N115
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Windows\SysWOW64\wermgr.exe
      C:\Windows\SysWOW64\wermgr.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/428-68-0x00000000000C0000-0x00000000000E3000-memory.dmp

Filesize
140KB

Download
memory/428-62-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/428-65-0x00000000000C0000-0x00000000000E3000-memory.dmp

Filesize
140KB

Download
memory/428-66-0x00000000000C0000-0x00000000000E3000-memory.dmp

Filesize
140KB

Download
memory/428-67-0x00000000000C0000-0x00000000000E3000-memory.dmp

Filesize
140KB

Download
memory/428-69-0x00000000000C0000-0x00000000000E3000-memory.dmp

Filesize
140KB

Download
memory/428-70-0x00000000000C0000-0x00000000000E3000-memory.dmp

Filesize
140KB

Download
memory/428-72-0x00000000000C0000-0x00000000000E3000-memory.dmp

Filesize
140KB

Download
memory/596-59-0x00000000001B0000-0x00000000001D3000-memory.dmp

Filesize
140KB

Download
memory/596-60-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/596-61-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/596-63-0x00000000001B0000-0x00000000001D3000-memory.dmp

Filesize
140KB

Download
memory/596-54-0x00000000001B0000-0x00000000001D3000-memory.dmp

Filesize
140KB

Download