qakbot | ce24d9a265549557a9f8080c66de38dec940fb7aef2fc6236c5df1ab19995249

General

Target

RunDLL-1.bat
Size

29B
MD5

9a78cdda7bc823ff0a665e764f87a7a9
SHA1

659e88ee018794d0dfd32becc7adc8a6199f6d9f
SHA256

fd575e009f5b841a6971dbc651da1accd2227f46ffc2c5c41e604aa7e7cdd5d9
SHA512

c39bf673899c03252cda5e5e3eb4a2777ffca9a865123c8408026e32c2f7ca0763aa3cc432778fe2019d65142d17d8f1396eac03c2e03ef1728b3c4ff5d28e98

Score

10^/10

qakbot obama242 1678805546 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.266

Botnet

obama242

Campaign

1678805546

C2

92.239.81.124:443

176.202.46.81:443

2.49.58.47:2222

86.225.214.138:2222

74.66.134.24:443

213.31.90.183:2222

12.172.173.82:50001

202.187.87.178:995

70.53.96.223:995

92.154.45.81:2222

186.64.67.54:443

81.158.112.20:2222

190.191.35.122:443

68.173.170.110:8443

12.172.173.82:993

98.145.23.67:443

12.172.173.82:22

37.186.55.60:2222

84.216.198.124:6881

73.161.176.218:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
1176	rundll32.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe
1004	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1176 rundll32.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1988 wrote to memory of 1936	1988	cmd.exe	rundll32.exe
PID 1988 wrote to memory of 1936	1988	cmd.exe	rundll32.exe
PID 1988 wrote to memory of 1936	1988	cmd.exe	rundll32.exe
PID 1936 wrote to memory of 1176	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1176	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1176	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1176	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1176	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1176	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1176	1936	rundll32.exe	rundll32.exe
PID 1176 wrote to memory of 1004	1176	rundll32.exe	wermgr.exe
PID 1176 wrote to memory of 1004	1176	rundll32.exe	wermgr.exe
PID 1176 wrote to memory of 1004	1176	rundll32.exe	wermgr.exe
PID 1176 wrote to memory of 1004	1176	rundll32.exe	wermgr.exe
PID 1176 wrote to memory of 1004	1176	rundll32.exe	wermgr.exe
PID 1176 wrote to memory of 1004	1176	rundll32.exe	wermgr.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\system32\rundll32.exe
rundll32.exe 3.dat,xlAutoOpen
2⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe 3.dat,xlAutoOpen
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1004

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1004-66-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1004-64-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1004-72-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1004-71-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1004-62-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1004-59-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/1004-68-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1004-65-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1004-61-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1004-63-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1176-58-0x0000000000220000-0x0000000000243000-memory.dmp

Filesize
140KB

Download
memory/1176-60-0x0000000000220000-0x0000000000243000-memory.dmp

Filesize
140KB

Download
memory/1176-54-0x0000000000220000-0x0000000000243000-memory.dmp

Filesize
140KB

Download
memory/1176-56-0x0000000000220000-0x0000000000243000-memory.dmp

Filesize
140KB

Download
memory/1176-57-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/1176-55-0x0000000000220000-0x0000000000243000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing