qakbot | 45fbfb9658cbfd1fe2fa102cf05bd38f458864e3f39f2c72dc4b073b114a2e24

Analysis

max time kernel
26s
max time network
28s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 09:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

45fbfb9658cbfd1fe2fa102cf05bd38f458864e3f39f2c72dc4b073b114a2e24.dll
Size

336KB
MD5

64ad73dd7f791257e336a550338a7e96
SHA1

e94fa4a9217a51488f688aaa6ab84d23ba4529af
SHA256

45fbfb9658cbfd1fe2fa102cf05bd38f458864e3f39f2c72dc4b073b114a2e24
SHA512

117a67c89669783243f01686705f6f4ea9c4aa01b973a47037b7d85d3f932ac881eccd938be2690bab7d24fb737b56b6269467ecc367d45da11f5f3faa22bfc2
SSDEEP

6144:rGpptTq76Et/NPHn1PdjxFJwMoW9vTWF5K6bVt2Eyfs/nqlbbHyx2f8qo+AwrOE:rG7Nq76qPVltfTvTWF5K6zPyfsyZ+x29

Score

10^/10

qakbot bb23 1681291772 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.919

Botnet

BB23

Campaign

1681291772

101.184.134.98:2222

23.30.22.225:993

104.35.24.154:443

85.2.185.70:2222

14.192.241.76:995

47.196.225.236:443

78.92.133.215:443

176.202.45.209:443

174.118.63.123:443

84.35.26.14:995

86.171.191.31:443

103.141.50.79:995

213.67.139.53:2222

172.115.17.50:443

198.2.51.242:993

69.133.162.35:443

58.162.223.233:443

91.169.12.198:32100

47.21.51.138:443

35.143.97.145:995

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1176	ping.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4908	rundll32.exe
4908	rundll32.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe
1324	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4908	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 4908	1832	rundll32.exe	85
PID 1832 wrote to memory of 4908	1832	rundll32.exe	85
PID 1832 wrote to memory of 4908	1832	rundll32.exe	85
PID 4908 wrote to memory of 1324	4908	rundll32.exe	86
PID 4908 wrote to memory of 1324	4908	rundll32.exe	86
PID 4908 wrote to memory of 1324	4908	rundll32.exe	86
PID 4908 wrote to memory of 1324	4908	rundll32.exe	86
PID 4908 wrote to memory of 1324	4908	rundll32.exe	86
PID 1324 wrote to memory of 1176	1324	wermgr.exe	87
PID 1324 wrote to memory of 1176	1324	wermgr.exe	87
PID 1324 wrote to memory of 1176	1324	wermgr.exe	87

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\45fbfb9658cbfd1fe2fa102cf05bd38f458864e3f39f2c72dc4b073b114a2e24.dll,Nikn
1⤵
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\45fbfb9658cbfd1fe2fa102cf05bd38f458864e3f39f2c72dc4b073b114a2e24.dll,Nikn
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\SysWOW64\ping.exe
      ping -n 3 yahoo.com
      4⤵
      Runs ping.exe
      PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1324-146-0x0000000000150000-0x0000000000174000-memory.dmp

Filesize
144KB

Download
memory/1324-140-0x0000000000150000-0x0000000000174000-memory.dmp

Filesize
144KB

Download
memory/1324-141-0x0000000000150000-0x0000000000174000-memory.dmp

Filesize
144KB

Download
memory/1324-143-0x0000000000150000-0x0000000000174000-memory.dmp

Filesize
144KB

Download
memory/1324-145-0x0000000000150000-0x0000000000174000-memory.dmp

Filesize
144KB

Download
memory/1324-147-0x0000000000150000-0x0000000000174000-memory.dmp

Filesize
144KB

Download
memory/1324-148-0x0000000000150000-0x0000000000174000-memory.dmp

Filesize
144KB

Download
memory/1324-150-0x0000000000150000-0x0000000000174000-memory.dmp

Filesize
144KB

Download
memory/4908-138-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/4908-139-0x0000000002E10000-0x0000000002E1E000-memory.dmp

Filesize
56KB

Download
memory/4908-142-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/4908-144-0x000000005D980000-0x000000005D9D8000-memory.dmp

Filesize
352KB

Download
memory/4908-133-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download