qakbot | bc672fe23b19898032b312ab849d781cfd450966e17f571b8e31a0328f2bafe8

Analysis

max time kernel
25s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-04-2023 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Qbot_posting.dll
Size

638KB
MD5

66c31e46e776c384f69c856505ab7852
SHA1

0502fa50d6117f1ed5d66a2d3c961eae5609f95b
SHA256

bc672fe23b19898032b312ab849d781cfd450966e17f571b8e31a0328f2bafe8
SHA512

6e916d69f0dc9f0284c4aacb7a2f75aeaa628aed3419cd16e8ac962ec98d9c7db7baceaacf3f635a496a1b13d29bcd7f3a1d7788e964b15c319282130857bebe
SSDEEP

12288:fa2sTwwDbozbuUijWQ2ieToMjavBJHuZXJMeGbX//IO:fBs1QuUijWHVUM+7OZXJM5T//I

Score

10^/10

qakbot bb02 1665761649 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.973

Botnet

BB02

Campaign

1665761649

104.233.202.195:443

105.156.242.71:443

45.230.169.132:995

181.197.41.173:443

197.0.89.147:443

191.254.53.134:995

190.204.74.4:2222

46.185.147.165:443

190.26.159.133:995

177.205.74.14:2222

197.63.250.197:993

45.230.169.132:443

156.212.50.148:443

193.27.13.28:32100

190.200.10.82:2222

31.166.182.166:443

179.105.182.216:995

193.201.187.64:443

1.53.101.75:443

190.181.17.58:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

1072 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1072 rundll32.exe

pid	process
1072	rundll32.exe

pid	process
1072	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2040 wrote to memory of 1072	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 1072	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 1072	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 1072	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 1072	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 1072	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 1072	2040	rundll32.exe	rundll32.exe
PID 1072 wrote to memory of 1188	1072	rundll32.exe	wermgr.exe
PID 1072 wrote to memory of 1188	1072	rundll32.exe	wermgr.exe
PID 1072 wrote to memory of 1188	1072	rundll32.exe	wermgr.exe
PID 1072 wrote to memory of 1188	1072	rundll32.exe	wermgr.exe
PID 1072 wrote to memory of 1188	1072	rundll32.exe	wermgr.exe
PID 1072 wrote to memory of 1188	1072	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qbot_posting.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qbot_posting.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
PID:1188

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-54-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1072-55-0x00000000002A0000-0x00000000002C9000-memory.dmp

Filesize
164KB

Download
memory/1072-56-0x00000000002A0000-0x00000000002C9000-memory.dmp

Filesize
164KB

Download
memory/1072-58-0x00000000002A0000-0x00000000002C9000-memory.dmp

Filesize
164KB

Download
memory/1072-57-0x00000000002A0000-0x00000000002C9000-memory.dmp

Filesize
164KB

Download
memory/1072-59-0x0000000000240000-0x000000000026A000-memory.dmp

Filesize
168KB

Download
memory/1072-60-0x00000000002A0000-0x00000000002C9000-memory.dmp

Filesize
164KB

Download
memory/1072-61-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1072-63-0x00000000002A0000-0x00000000002C9000-memory.dmp

Filesize
164KB

Download
memory/1072-65-0x00000000002A0000-0x00000000002C9000-memory.dmp

Filesize
164KB

Download
memory/1188-64-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/1188-67-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download