qakbot | fe4d2ebc920e60116b039236f07e45a9203fce4eaf7e5182c0a8610f49c7397c

General

Target

fe4d2ebc920e60116b039236f07e45a9203fce4eaf7e5182c0a8610f49c7397c.dll
Size

462KB
MD5

fd4829b31ddba9d86b755d94c1bd9d18
SHA1

51888e485511fe7db278715c72da0bd64f70bc89
SHA256

fe4d2ebc920e60116b039236f07e45a9203fce4eaf7e5182c0a8610f49c7397c
SHA512

5b7d2cad80f6b6d57984fd9ecff170e023a06f316228aac961ff081965d9a9af19692e345f3cb093d75308d679c31892f735602db557ed97c514b1d39c69ae6d
SSDEEP

12288:eAsKWT98cqSemKRLh0P4Fr8qFu8wPchGF4A7J7tTFJMvEPRrUxHYjKqNZrk7UazG:eJMvArUx4jfNko9ga

Score

10^/10

qakbot obama252 1681377757 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.919

Botnet

obama252

Campaign

1681377757

C2

70.28.50.223:2083

64.121.161.102:443

95.60.243.84:995

70.28.50.223:1194

49.245.95.124:2222

184.153.132.82:443

67.219.197.94:443

174.4.89.3:443

70.28.50.223:3389

213.91.235.146:443

75.115.14.189:443

202.142.98.62:443

70.64.77.115:443

70.28.50.223:2087

103.123.223.141:443

50.68.204.71:993

81.229.117.95:2222

72.134.124.16:443

76.170.252.153:995

85.245.221.87:2078

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

ping.exe

pid process

980 ping.exe

pid	process
980	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
1744	rundll32.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1744 rundll32.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

rundll32.exerundll32.exewermgr.exe

description	pid	process	target process
PID 1148 wrote to memory of 1744	1148	rundll32.exe	rundll32.exe
PID 1148 wrote to memory of 1744	1148	rundll32.exe	rundll32.exe
PID 1148 wrote to memory of 1744	1148	rundll32.exe	rundll32.exe
PID 1148 wrote to memory of 1744	1148	rundll32.exe	rundll32.exe
PID 1148 wrote to memory of 1744	1148	rundll32.exe	rundll32.exe
PID 1148 wrote to memory of 1744	1148	rundll32.exe	rundll32.exe
PID 1148 wrote to memory of 1744	1148	rundll32.exe	rundll32.exe
PID 1744 wrote to memory of 864	1744	rundll32.exe	wermgr.exe
PID 1744 wrote to memory of 864	1744	rundll32.exe	wermgr.exe
PID 1744 wrote to memory of 864	1744	rundll32.exe	wermgr.exe
PID 1744 wrote to memory of 864	1744	rundll32.exe	wermgr.exe
PID 1744 wrote to memory of 864	1744	rundll32.exe	wermgr.exe
PID 1744 wrote to memory of 864	1744	rundll32.exe	wermgr.exe
PID 864 wrote to memory of 980	864	wermgr.exe	ping.exe
PID 864 wrote to memory of 980	864	wermgr.exe	ping.exe
PID 864 wrote to memory of 980	864	wermgr.exe	ping.exe
PID 864 wrote to memory of 980	864	wermgr.exe	ping.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fe4d2ebc920e60116b039236f07e45a9203fce4eaf7e5182c0a8610f49c7397c.dll,Nikn
1⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fe4d2ebc920e60116b039236f07e45a9203fce4eaf7e5182c0a8610f49c7397c.dll,Nikn
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\ping.exe
ping -n 3 yahoo.com
4⤵
- Runs ping.exe
PID:980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/864-67-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/864-61-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/864-62-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/864-63-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/864-65-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/864-66-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/864-68-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/864-69-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/864-71-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/1744-55-0x00000000001A0000-0x00000000001C4000-memory.dmp

Filesize
144KB

Download
memory/1744-60-0x00000000001A0000-0x00000000001C4000-memory.dmp

Filesize
144KB

Download
memory/1744-64-0x00000000001A0000-0x00000000001C4000-memory.dmp

Filesize
144KB

Download
memory/1744-54-0x0000000000170000-0x0000000000173000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing