qakbot | c9cca7ebd18e88aa627878060735db234b26104c19fff55aab6b651e35196e33

Analysis

max time kernel
149s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-03-2023 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

me97U.dll
Size

860KB
MD5

71af65171b500352fcf6e2e0d35462f2
SHA1

8e60346a8f8344cd9e755113b2e94981a2424d68
SHA256

c9cca7ebd18e88aa627878060735db234b26104c19fff55aab6b651e35196e33
SHA512

2f41ddb99c009ae52f942148068e004308c64972f8d9ef91c228613dd5fa38ba5127da6ae8c9f4446a1729dd7518bc809b3739796ab0f4169495286c27bfdc47
SSDEEP

24576:i9sT4ppMP7Empue12E35Tdkq0aljWrHnl5oPhepzGIrx1lA0ijNl:bQOD0nEZAl/iX

Score

10^/10

qakbot obama244 1679299070 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.450

Botnet

obama244

Campaign

1679299070

116.75.63.17:443

136.244.25.165:443

184.153.132.82:443

217.165.247.145:2222

35.143.97.145:995

86.98.17.65:443

49.245.95.124:2222

47.34.30.133:443

92.149.250.113:2222

92.186.69.229:2222

86.195.14.72:2222

92.154.45.81:2222

69.119.123.159:2222

64.237.245.195:443

58.186.75.42:443

178.152.121.81:443

12.172.173.82:465

125.99.69.178:443

98.222.212.149:443

175.156.65.126:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
1204	rundll32.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe
536	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1204 rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1520 wrote to memory of 1204	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1204	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1204	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1204	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1204	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1204	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1204	1520	rundll32.exe	rundll32.exe
PID 1204 wrote to memory of 536	1204	rundll32.exe	wermgr.exe
PID 1204 wrote to memory of 536	1204	rundll32.exe	wermgr.exe
PID 1204 wrote to memory of 536	1204	rundll32.exe	wermgr.exe
PID 1204 wrote to memory of 536	1204	rundll32.exe	wermgr.exe
PID 1204 wrote to memory of 536	1204	rundll32.exe	wermgr.exe
PID 1204 wrote to memory of 536	1204	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\me97U.dll,WW50
1⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\me97U.dll,WW50
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:536

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/536-61-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/536-63-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/536-65-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/536-66-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/536-67-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/536-68-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/536-69-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/536-71-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/1204-54-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1204-59-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1204-60-0x0000000070A00000-0x0000000070ADD000-memory.dmp

Filesize
884KB

Download
memory/1204-62-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download