qakbot | 380b8a70cef9604929177aa519ab7f02658648bde02892aa107e123764df8d54

Analysis

max time kernel
151s
max time network
43s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/05/2023, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beautydomPorrigo.Reargument.dll
Size

633KB
MD5

f06a54b8549fec8b988da37e049fa23e
SHA1

89f7eb1aea54573834a37c45617848c7ca721a56
SHA256

380b8a70cef9604929177aa519ab7f02658648bde02892aa107e123764df8d54
SHA512

98f38fbfd74726a24926b9b204aa77001bfa753781b608f330aae9247f39fc9836ad8e075a230beeccfbdc153964c3b57f8290a47a11a16ab183e3239a5f3a22
SSDEEP

12288:qzbDRgCdJy+vKjt/hp2JIdK6DOAj/di+I/dzAwuFQ5fC:qXVgoy+YdbKh6DOAjVi6wuFQ5fC

Score

10^/10

qakbot bb27 1683811051 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.1038

Botnet

BB27

Campaign

1683811051

113.11.92.30:443

86.130.9.208:2222

27.109.19.90:2078

70.28.50.223:32100

89.129.109.27:2222

12.172.173.82:21

70.28.50.223:2087

200.93.26.107:2222

50.68.204.71:993

12.172.173.82:32101

173.88.135.179:443

70.28.50.223:3389

86.99.48.130:2222

67.219.197.94:443

76.64.99.251:2222

86.250.12.86:2222

136.35.241.159:443

69.157.243.204:2222

216.36.153.248:443

173.176.4.133:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
320	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1376	rundll32.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe
1160	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1376	rundll32.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1376	1132	rundll32.exe	28
PID 1132 wrote to memory of 1376	1132	rundll32.exe	28
PID 1132 wrote to memory of 1376	1132	rundll32.exe	28
PID 1132 wrote to memory of 1376	1132	rundll32.exe	28
PID 1132 wrote to memory of 1376	1132	rundll32.exe	28
PID 1132 wrote to memory of 1376	1132	rundll32.exe	28
PID 1132 wrote to memory of 1376	1132	rundll32.exe	28
PID 1376 wrote to memory of 1160	1376	rundll32.exe	29
PID 1376 wrote to memory of 1160	1376	rundll32.exe	29
PID 1376 wrote to memory of 1160	1376	rundll32.exe	29
PID 1376 wrote to memory of 1160	1376	rundll32.exe	29
PID 1376 wrote to memory of 1160	1376	rundll32.exe	29
PID 1376 wrote to memory of 1160	1376	rundll32.exe	29
PID 1160 wrote to memory of 320	1160	wermgr.exe	30
PID 1160 wrote to memory of 320	1160	wermgr.exe	30
PID 1160 wrote to memory of 320	1160	wermgr.exe	30
PID 1160 wrote to memory of 320	1160	wermgr.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\beautydomPorrigo.Reargument.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\beautydomPorrigo.Reargument.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\SysWOW64\ping.exe
      ping -n 3 yahoo.com
      4⤵
      Runs ping.exe
      PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1160-63-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1160-72-0x00000000000D0000-0x00000000000F4000-memory.dmp

Filesize
144KB

Download
memory/1160-71-0x00000000000D0000-0x00000000000F4000-memory.dmp

Filesize
144KB

Download
memory/1160-70-0x00000000000D0000-0x00000000000F4000-memory.dmp

Filesize
144KB

Download
memory/1160-69-0x00000000000D0000-0x00000000000F4000-memory.dmp

Filesize
144KB

Download
memory/1160-67-0x00000000000D0000-0x00000000000F4000-memory.dmp

Filesize
144KB

Download
memory/1160-65-0x00000000000D0000-0x00000000000F4000-memory.dmp

Filesize
144KB

Download
memory/1160-64-0x00000000000D0000-0x00000000000F4000-memory.dmp

Filesize
144KB

Download
memory/1376-57-0x00000000002E0000-0x0000000000304000-memory.dmp

Filesize
144KB

Download
memory/1376-61-0x00000000007B0000-0x0000000000851000-memory.dmp

Filesize
644KB

Download
memory/1376-60-0x00000000002E0000-0x0000000000304000-memory.dmp

Filesize
144KB

Download
memory/1376-59-0x0000000000180000-0x00000000001A3000-memory.dmp

Filesize
140KB

Download
memory/1376-68-0x00000000002E0000-0x0000000000304000-memory.dmp

Filesize
144KB

Download
memory/1376-54-0x00000000007B0000-0x0000000000851000-memory.dmp

Filesize
644KB

Download
memory/1376-58-0x00000000002E0000-0x0000000000304000-memory.dmp

Filesize
144KB

Download
memory/1376-56-0x00000000002E0000-0x0000000000304000-memory.dmp

Filesize
144KB

Download
memory/1376-55-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download