qakbot | abcba267cfb2c8cbd61bbe1d9f154ce6cdd4575f3a055eb0f97cbe7ba9249ac5

General

Target

5bbb237c3a5bd16dd35889fe6b7dac5ef3315f517c0fbd5328b41be0799a3b60.dll
Size

580KB
MD5

aef019590c6b18467b52d8566da497d4
SHA1

e73b1f459cb640c1f5ccba5553662341ac57bf9f
SHA256

5bbb237c3a5bd16dd35889fe6b7dac5ef3315f517c0fbd5328b41be0799a3b60
SHA512

ae5336510b2d6cb409da73a97610663d596ddb1bc8a47eac13e0f0088face4a7b37c58bbf4c37bb304bce3dfc8f6b4d647aa872fba6248f3ee8b4e5d7f6c2dd9
SSDEEP

6144:k/ZzllHDjygb7kZJUP9SDTOq3WlrQQurP/o2SiN5ryK9T+gZw/NCxeczYjlDtKK8:+HDjygXeIBrbYXPCd/NyYxRGu5DO

Score

10^/10

qakbot bb22 1680688614 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.909

Botnet

BB22

Campaign

1680688614

C2

209.93.207.224:2222

90.93.132.149:2222

109.11.175.42:2222

12.172.173.82:993

86.195.14.72:2222

82.121.195.187:2222

88.122.133.88:32100

86.154.216.221:2222

91.82.133.190:443

197.3.198.241:443

70.112.206.5:443

12.172.173.82:50001

103.123.223.141:443

103.141.50.102:995

201.244.108.183:995

183.87.163.165:443

76.178.148.107:2222

96.87.28.170:2222

76.80.180.154:993

92.189.214.236:2222

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

ping.exe

pid process

1760 ping.exe

pid	process
1760	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
1740	rundll32.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1740 rundll32.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

rundll32.exerundll32.exewermgr.exe

description	pid	process	target process
PID 1496 wrote to memory of 1740	1496	rundll32.exe	rundll32.exe
PID 1496 wrote to memory of 1740	1496	rundll32.exe	rundll32.exe
PID 1496 wrote to memory of 1740	1496	rundll32.exe	rundll32.exe
PID 1496 wrote to memory of 1740	1496	rundll32.exe	rundll32.exe
PID 1496 wrote to memory of 1740	1496	rundll32.exe	rundll32.exe
PID 1496 wrote to memory of 1740	1496	rundll32.exe	rundll32.exe
PID 1496 wrote to memory of 1740	1496	rundll32.exe	rundll32.exe
PID 1740 wrote to memory of 1160	1740	rundll32.exe	wermgr.exe
PID 1740 wrote to memory of 1160	1740	rundll32.exe	wermgr.exe
PID 1740 wrote to memory of 1160	1740	rundll32.exe	wermgr.exe
PID 1740 wrote to memory of 1160	1740	rundll32.exe	wermgr.exe
PID 1740 wrote to memory of 1160	1740	rundll32.exe	wermgr.exe
PID 1740 wrote to memory of 1160	1740	rundll32.exe	wermgr.exe
PID 1160 wrote to memory of 1760	1160	wermgr.exe	ping.exe
PID 1160 wrote to memory of 1760	1160	wermgr.exe	ping.exe
PID 1160 wrote to memory of 1760	1160	wermgr.exe	ping.exe
PID 1160 wrote to memory of 1760	1160	wermgr.exe	ping.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5bbb237c3a5bd16dd35889fe6b7dac5ef3315f517c0fbd5328b41be0799a3b60.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5bbb237c3a5bd16dd35889fe6b7dac5ef3315f517c0fbd5328b41be0799a3b60.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\ping.exe
ping -n 3 yahoo.com
4⤵
- Runs ping.exe
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1160-64-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/1160-75-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/1160-73-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/1160-72-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/1160-71-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/1160-70-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/1160-68-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/1160-66-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/1160-65-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/1740-62-0x0000000001D50000-0x0000000001DE3000-memory.dmp

Filesize
588KB

Download
memory/1740-54-0x0000000001D50000-0x0000000001DE3000-memory.dmp

Filesize
588KB

Download
memory/1740-61-0x0000000000810000-0x0000000000834000-memory.dmp

Filesize
144KB

Download
memory/1740-67-0x0000000000810000-0x0000000000834000-memory.dmp

Filesize
144KB

Download
memory/1740-60-0x00000000002B0000-0x00000000002D6000-memory.dmp

Filesize
152KB

Download
memory/1740-59-0x0000000000810000-0x0000000000834000-memory.dmp

Filesize
144KB

Download
memory/1740-58-0x0000000000810000-0x0000000000834000-memory.dmp

Filesize
144KB

Download
memory/1740-57-0x0000000000810000-0x0000000000834000-memory.dmp

Filesize
144KB

Download
memory/1740-56-0x0000000000810000-0x0000000000834000-memory.dmp

Filesize
144KB

Download
memory/1740-55-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing