qakbot | 66416ebc59241a78024b8fa0b8fc376d66ed5e0f818aebccf8260c6a51bae9fd

Resubmissions

20-03-2023 20:02

230320-ysakrsfb83 3

20-03-2023 16:15

230320-tp8wyagd5v 10

20-03-2023 15:02

230320-sef8hagb2v 3

Analysis

max time kernel
149s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-03-2023 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ConvertiblyBriskish.dll
Size

869KB
MD5

33c6c81620ad583916379499e47da4e0
SHA1

a1f947fad1f40273496f0a9c469e624d04fbe63a
SHA256

66416ebc59241a78024b8fa0b8fc376d66ed5e0f818aebccf8260c6a51bae9fd
SHA512

7138a97b701bcfd596f4e9932ea98fef0c6a6b57a250b3e9db654475acd53aca2b2773b844b83a00afb1217efa241cc3018727b4f3870061066d9b21a705947a
SSDEEP

24576:D9sT4pp4P7Empue12E35Tdkq0aljWrHnl5oPhepzGIrx1lA0id6H/Ne:2QeD0nEZAl/i

Score

10^/10

qakbot bb19 1679045844 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.450

Botnet

BB19

Campaign

1679045844

202.142.98.62:443

50.68.204.71:995

81.229.117.95:2222

103.140.174.19:2222

47.34.30.133:443

76.170.252.153:995

183.87.163.165:443

81.133.163.79:2222

83.92.85.93:443

85.241.180.94:443

144.64.226.144:443

76.80.180.154:995

103.42.86.110:995

12.172.173.82:995

24.117.237.157:443

35.143.97.145:995

91.254.229.61:443

74.58.71.237:443

64.237.245.195:443

45.50.233.214:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
1196	rundll32.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe
1964	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1196 rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2016 wrote to memory of 1196	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1196	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1196	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1196	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1196	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1196	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1196	2016	rundll32.exe	rundll32.exe
PID 1196 wrote to memory of 1964	1196	rundll32.exe	wermgr.exe
PID 1196 wrote to memory of 1964	1196	rundll32.exe	wermgr.exe
PID 1196 wrote to memory of 1964	1196	rundll32.exe	wermgr.exe
PID 1196 wrote to memory of 1964	1196	rundll32.exe	wermgr.exe
PID 1196 wrote to memory of 1964	1196	rundll32.exe	wermgr.exe
PID 1196 wrote to memory of 1964	1196	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Admin\AppData\Local\Temp\ConvertiblyBriskish.dll,WW50
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Admin\AppData\Local\Temp\ConvertiblyBriskish.dll,WW50
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1964

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-54-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1196-59-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1196-60-0x0000000070A00000-0x0000000070ADD000-memory.dmp

Filesize
884KB

Download
memory/1196-62-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1964-61-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/1964-63-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/1964-65-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/1964-66-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/1964-67-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/1964-68-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/1964-69-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/1964-71-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download