qakbot | 293c6bb43cc267a6f0dd9f2da1d62144ddb63159a8f93a2ea2c963e0e44d87f4

Analysis

max time kernel
104s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-03-2023 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ungripping.dll
Size

881KB
MD5

328c7bd717baffb021419154dca563d8
SHA1

2ce3de50a614ef7937dcce8a2c13d5de5e68b48c
SHA256

293c6bb43cc267a6f0dd9f2da1d62144ddb63159a8f93a2ea2c963e0e44d87f4
SHA512

6f66c3dca37d2909b9144136311777027a5417a49ff901753733b558066ee7058687730ecb449ad37ef103422535843b3a69236fe74c71eab158ad0004e6a7ce
SSDEEP

24576:V9sT4ppNP7Empue12E35Tdkq0aljWrHnl5oPhepzGIrx1lA0iO1PTIsrq:YQbD0nEZAl/iOKsr

Score

10^/10

qakbot bb20 1679248733 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.450

Botnet

BB20

Campaign

1679248733

75.143.236.149:443

80.42.186.99:2222

50.68.204.71:993

47.32.78.150:443

50.68.204.71:443

90.165.109.4:2222

178.152.121.81:443

78.69.251.252:2222

86.45.66.141:2222

91.68.227.219:443

80.1.152.201:443

213.91.235.146:443

198.2.51.242:993

92.154.17.149:2222

174.4.89.3:443

86.191.9.6:995

2.14.137.60:2222

93.147.134.85:443

92.149.250.113:2222

73.165.119.20:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
1324	rundll32.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe
1332	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1324 rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1212 wrote to memory of 1324	1212	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 1324	1212	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 1324	1212	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 1324	1212	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 1324	1212	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 1324	1212	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 1324	1212	rundll32.exe	rundll32.exe
PID 1324 wrote to memory of 1332	1324	rundll32.exe	wermgr.exe
PID 1324 wrote to memory of 1332	1324	rundll32.exe	wermgr.exe
PID 1324 wrote to memory of 1332	1324	rundll32.exe	wermgr.exe
PID 1324 wrote to memory of 1332	1324	rundll32.exe	wermgr.exe
PID 1324 wrote to memory of 1332	1324	rundll32.exe	wermgr.exe
PID 1324 wrote to memory of 1332	1324	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ungripping.dll,WW50
1⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ungripping.dll,WW50
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1332

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1324-54-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1324-59-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1324-60-0x0000000070A00000-0x0000000070ADD000-memory.dmp

Filesize
884KB

Download
memory/1324-62-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1332-61-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/1332-63-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/1332-65-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/1332-66-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/1332-67-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/1332-68-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/1332-69-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/1332-71-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download