qakbot | c9cca7ebd18e88aa627878060735db234b26104c19fff55aab6b651e35196e33

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2023 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

me97U.dll
Size

860KB
MD5

71af65171b500352fcf6e2e0d35462f2
SHA1

8e60346a8f8344cd9e755113b2e94981a2424d68
SHA256

c9cca7ebd18e88aa627878060735db234b26104c19fff55aab6b651e35196e33
SHA512

2f41ddb99c009ae52f942148068e004308c64972f8d9ef91c228613dd5fa38ba5127da6ae8c9f4446a1729dd7518bc809b3739796ab0f4169495286c27bfdc47
SSDEEP

24576:i9sT4ppMP7Empue12E35Tdkq0aljWrHnl5oPhepzGIrx1lA0ijNl:bQOD0nEZAl/iX

Score

10^/10

qakbot obama244 1679299070 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.450

Botnet

obama244

Campaign

1679299070

116.75.63.17:443

136.244.25.165:443

184.153.132.82:443

217.165.247.145:2222

35.143.97.145:995

86.98.17.65:443

49.245.95.124:2222

47.34.30.133:443

92.149.250.113:2222

92.186.69.229:2222

86.195.14.72:2222

92.154.45.81:2222

69.119.123.159:2222

64.237.245.195:443

58.186.75.42:443

178.152.121.81:443

12.172.173.82:465

125.99.69.178:443

98.222.212.149:443

175.156.65.126:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
3964	rundll32.exe
3964	rundll32.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe
2504	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

3964 rundll32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2624 wrote to memory of 3964	2624	rundll32.exe	rundll32.exe
PID 2624 wrote to memory of 3964	2624	rundll32.exe	rundll32.exe
PID 2624 wrote to memory of 3964	2624	rundll32.exe	rundll32.exe
PID 3964 wrote to memory of 2504	3964	rundll32.exe	wermgr.exe
PID 3964 wrote to memory of 2504	3964	rundll32.exe	wermgr.exe
PID 3964 wrote to memory of 2504	3964	rundll32.exe	wermgr.exe
PID 3964 wrote to memory of 2504	3964	rundll32.exe	wermgr.exe
PID 3964 wrote to memory of 2504	3964	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\me97U.dll,WW50
1⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\me97U.dll,WW50
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2504-141-0x0000000000480000-0x00000000004B2000-memory.dmp

Filesize
200KB

Download
memory/2504-143-0x0000000000480000-0x00000000004B2000-memory.dmp

Filesize
200KB

Download
memory/2504-144-0x0000000000480000-0x00000000004B2000-memory.dmp

Filesize
200KB

Download
memory/2504-145-0x0000000000480000-0x00000000004B2000-memory.dmp

Filesize
200KB

Download
memory/2504-146-0x0000000000480000-0x00000000004B2000-memory.dmp

Filesize
200KB

Download
memory/2504-148-0x0000000000480000-0x00000000004B2000-memory.dmp

Filesize
200KB

Download
memory/2504-150-0x0000000000480000-0x00000000004B2000-memory.dmp

Filesize
200KB

Download
memory/3964-133-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/3964-138-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/3964-139-0x0000000000CD0000-0x0000000000CD3000-memory.dmp

Filesize
12KB

Download
memory/3964-140-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/3964-142-0x0000000070A00000-0x0000000070ADD000-memory.dmp

Filesize
884KB

Download