qakbot | ee6b3a12f486007ab1771c5a48fbab506538f2a6c16e4b13b8ba2711cdb306c6

Analysis

max time kernel
105s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2023, 20:26 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee6b3a12f486007ab1771c5a48fbab506538f2a6c16e4b13b8ba2711cdb306c6.dll
Size

357KB
MD5

21bdb6d725536baf5f1b592bcccabc81
SHA1

494fd7409da700b469ad3c9f5259e823a45e9f51
SHA256

ee6b3a12f486007ab1771c5a48fbab506538f2a6c16e4b13b8ba2711cdb306c6
SHA512

70dc54b94fab2cb44a7a0f4aff0922e3fd1a22438587b6d1561bd123a1c47fd974cb673792866ebac5f194c5ac721fdee27c41a63b9cb910dcd019fb87d000a1
SSDEEP

6144:i4XpMMnVH+R25rka7HNpnbkUds8D1GJR8:RXvVHY25RHbks1GJR8

Score

10^/10

qakbot bb18 1678346091 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.226

Botnet

BB18

Campaign

1678346091

114.143.176.235:443

92.154.17.149:2222

2.14.45.117:2222

84.108.200.161:443

109.11.175.42:2222

88.126.94.4:50000

87.202.101.164:50000

50.68.204.71:995

49.245.82.178:2222

12.172.173.82:32101

190.11.198.76:443

79.67.165.149:995

115.87.227.49:443

84.215.202.22:443

118.250.110.98:995

66.131.25.6:443

80.1.152.201:443

198.2.51.242:993

151.48.158.236:443

50.68.204.71:993

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1284	1440	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1440	rundll32.exe
1440	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 1440	3256	rundll32.exe	30
PID 3256 wrote to memory of 1440	3256	rundll32.exe	30
PID 3256 wrote to memory of 1440	3256	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ee6b3a12f486007ab1771c5a48fbab506538f2a6c16e4b13b8ba2711cdb306c6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ee6b3a12f486007ab1771c5a48fbab506538f2a6c16e4b13b8ba2711cdb306c6.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 612
    3⤵
    - Program crash
    PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1440 -ip 1440
1⤵
PID:2500

Network

DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

50.4.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.4.107.13.in-addr.arpa

IN PTR

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

97.238.32.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.238.32.23.in-addr.arpa

IN PTR

Response

97.238.32.23.in-addr.arpa

IN PTR

a23-32-238-97deploystaticakamaitechnologiescom
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

58.104.205.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.104.205.20.in-addr.arpa

IN PTR

Response
DNS

63.13.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

63.13.109.52.in-addr.arpa

IN PTR

Response

93.184.220.29:80

322 B
7
93.184.220.29:80

322 B
7
209.197.3.8:80

322 B
7
173.223.113.164:443

322 B
7
173.223.113.131:80

322 B
7
131.253.33.203:80

322 B
7

8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

50.4.107.13.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.4.107.13.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

97.238.32.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

97.238.32.23.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

58.104.205.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

58.104.205.20.in-addr.arpa
8.8.8.8:53

63.13.109.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

63.13.109.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1440-134-0x0000000002430000-0x0000000002453000-memory.dmp

Filesize
140KB

Download
memory/1440-133-0x0000000002430000-0x0000000002453000-memory.dmp

Filesize
140KB

Download
memory/1440-136-0x0000000002430000-0x0000000002453000-memory.dmp

Filesize
140KB

Download
memory/1440-135-0x0000000000B00000-0x0000000000B24000-memory.dmp

Filesize
144KB

Download
memory/1440-138-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.