qakbot | 7783fb922abee77ebc12618187fe164cf8beecbedf4e8e91ad08434ccacc929b

Resubmissions

19/04/2023, 15:23

230419-ssstfsbd34 3

19/04/2023, 13:39

230419-qyfd7sag78 10

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19/04/2023, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0r1sCantMakeUphisMind.dll
Size

977KB
MD5

57a01187097a9f0bc4bbb77a50f9d9f8
SHA1

576463418b6813334b58a0dc19c2aa05bc3cea91
SHA256

7783fb922abee77ebc12618187fe164cf8beecbedf4e8e91ad08434ccacc929b
SHA512

6a7d740e0da849b8ab720e097cc5052ab12af47b2e79687e22edf8cae2115d6bfc9078d9fc4ccc4efe6e8c9703783ae8420ed49a5476f72dbdb3c1173c801bd8
SSDEEP

12288:dIAETyZizswDZr2rnVed8b2NFCKh6RaG7EeDATbURJTdL7K2Lzla:dI3AwDj02Nlh6IG7EeYU7TVW2Lzla

Score

10^/10

qakbot bb24 1681731194 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.981

Botnet

BB24

Campaign

1681731194

198.2.51.242:993

87.221.196.82:2222

27.109.19.90:2078

125.99.69.178:443

84.216.198.124:6881

82.131.135.172:443

82.11.242.219:443

41.228.47.155:995

114.143.176.235:443

47.21.51.138:443

109.146.76.176:2222

174.4.89.3:443

12.172.173.82:32101

92.27.86.48:2222

79.77.142.22:2222

64.121.161.102:443

70.28.50.223:1194

72.205.104.134:443

49.245.95.124:2222

197.2.225.108:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
580	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1332	rundll32.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe
1480	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1332	rundll32.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 1332	1156	rundll32.exe	28
PID 1156 wrote to memory of 1332	1156	rundll32.exe	28
PID 1156 wrote to memory of 1332	1156	rundll32.exe	28
PID 1156 wrote to memory of 1332	1156	rundll32.exe	28
PID 1156 wrote to memory of 1332	1156	rundll32.exe	28
PID 1156 wrote to memory of 1332	1156	rundll32.exe	28
PID 1156 wrote to memory of 1332	1156	rundll32.exe	28
PID 1332 wrote to memory of 1480	1332	rundll32.exe	29
PID 1332 wrote to memory of 1480	1332	rundll32.exe	29
PID 1332 wrote to memory of 1480	1332	rundll32.exe	29
PID 1332 wrote to memory of 1480	1332	rundll32.exe	29
PID 1332 wrote to memory of 1480	1332	rundll32.exe	29
PID 1332 wrote to memory of 1480	1332	rundll32.exe	29
PID 1480 wrote to memory of 580	1480	wermgr.exe	30
PID 1480 wrote to memory of 580	1480	wermgr.exe	30
PID 1480 wrote to memory of 580	1480	wermgr.exe	30
PID 1480 wrote to memory of 580	1480	wermgr.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0r1sCantMakeUphisMind.dll,Motd
1⤵
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0r1sCantMakeUphisMind.dll,Motd
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\SysWOW64\ping.exe
      ping -n 3 yahoo.com
      4⤵
      Runs ping.exe
      PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1332-64-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1332-55-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1332-60-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1332-54-0x0000000000170000-0x0000000000173000-memory.dmp

Filesize
12KB

Download
memory/1480-61-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/1480-63-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/1480-62-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/1480-65-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/1480-66-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/1480-67-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/1480-68-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/1480-69-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/1480-71-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download