qakbot | 7783fb922abee77ebc12618187fe164cf8beecbedf4e8e91ad08434ccacc929b

Resubmissions

19/04/2023, 15:23

230419-ssstfsbd34 3

19/04/2023, 13:39

230419-qyfd7sag78 10

Analysis

max time kernel
156s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0r1sCantMakeUphisMind.dll
Size

977KB
MD5

57a01187097a9f0bc4bbb77a50f9d9f8
SHA1

576463418b6813334b58a0dc19c2aa05bc3cea91
SHA256

7783fb922abee77ebc12618187fe164cf8beecbedf4e8e91ad08434ccacc929b
SHA512

6a7d740e0da849b8ab720e097cc5052ab12af47b2e79687e22edf8cae2115d6bfc9078d9fc4ccc4efe6e8c9703783ae8420ed49a5476f72dbdb3c1173c801bd8
SSDEEP

12288:dIAETyZizswDZr2rnVed8b2NFCKh6RaG7EeDATbURJTdL7K2Lzla:dI3AwDj02Nlh6IG7EeYU7TVW2Lzla

Score

10^/10

qakbot bb24 1681731194 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.981

Botnet

BB24

Campaign

1681731194

198.2.51.242:993

87.221.196.82:2222

27.109.19.90:2078

125.99.69.178:443

84.216.198.124:6881

82.131.135.172:443

82.11.242.219:443

41.228.47.155:995

114.143.176.235:443

47.21.51.138:443

109.146.76.176:2222

174.4.89.3:443

12.172.173.82:32101

92.27.86.48:2222

79.77.142.22:2222

64.121.161.102:443

70.28.50.223:1194

72.205.104.134:443

49.245.95.124:2222

197.2.225.108:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3840	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4168	rundll32.exe
4168	rundll32.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe
1420	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4168	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 4168	1784	rundll32.exe	83
PID 1784 wrote to memory of 4168	1784	rundll32.exe	83
PID 1784 wrote to memory of 4168	1784	rundll32.exe	83
PID 4168 wrote to memory of 1420	4168	rundll32.exe	84
PID 4168 wrote to memory of 1420	4168	rundll32.exe	84
PID 4168 wrote to memory of 1420	4168	rundll32.exe	84
PID 4168 wrote to memory of 1420	4168	rundll32.exe	84
PID 4168 wrote to memory of 1420	4168	rundll32.exe	84
PID 1420 wrote to memory of 3840	1420	wermgr.exe	85
PID 1420 wrote to memory of 3840	1420	wermgr.exe	85
PID 1420 wrote to memory of 3840	1420	wermgr.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0r1sCantMakeUphisMind.dll,Motd
1⤵
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0r1sCantMakeUphisMind.dll,Motd
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\SysWOW64\ping.exe
      ping -n 3 yahoo.com
      4⤵
      Runs ping.exe
      PID:3840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1420-146-0x0000000001040000-0x0000000001064000-memory.dmp

Filesize
144KB

Download
memory/1420-149-0x0000000001040000-0x0000000001064000-memory.dmp

Filesize
144KB

Download
memory/1420-151-0x0000000001040000-0x0000000001064000-memory.dmp

Filesize
144KB

Download
memory/1420-140-0x0000000001040000-0x0000000001064000-memory.dmp

Filesize
144KB

Download
memory/1420-141-0x0000000001040000-0x0000000001064000-memory.dmp

Filesize
144KB

Download
memory/1420-143-0x0000000001040000-0x0000000001064000-memory.dmp

Filesize
144KB

Download
memory/1420-145-0x0000000001040000-0x0000000001064000-memory.dmp

Filesize
144KB

Download
memory/1420-144-0x0000000001040000-0x0000000001064000-memory.dmp

Filesize
144KB

Download
memory/1420-148-0x0000000001040000-0x0000000001064000-memory.dmp

Filesize
144KB

Download
memory/1420-147-0x0000000001040000-0x0000000001064000-memory.dmp

Filesize
144KB

Download
memory/4168-133-0x0000000000E50000-0x0000000000E53000-memory.dmp

Filesize
12KB

Download
memory/4168-134-0x00000000027B0000-0x00000000027D4000-memory.dmp

Filesize
144KB

Download
memory/4168-142-0x00000000027B0000-0x00000000027D4000-memory.dmp

Filesize
144KB

Download
memory/4168-139-0x00000000027B0000-0x00000000027D4000-memory.dmp

Filesize
144KB

Download