qakbot | 2ed6e7ec16e2a65459d4d77a0f06c8f757d03969a0dd640932c2f90507952baf

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2023, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aeaTJIW6xt.dll
Size

358KB
MD5

386029008d6aa807e1a6ce146737dd36
SHA1

5b2ed6b356cd4faf46a68a4824c411abfc4834de
SHA256

2ed6e7ec16e2a65459d4d77a0f06c8f757d03969a0dd640932c2f90507952baf
SHA512

86d2891b600f8dd267ce48bec8bb397779cb09d8d77783a48c992df7dd250870f8ee8625e26bf0aecad6adc1173b9a671b86604448730b858cb39c0f2ddbfce9
SSDEEP

6144:a/D0Hb7UDqr1yb1tux77q/Mt12SF7GhUdHMGMIvHQgx77QxxgHb9VnpTBJjT8UZu:oD0Hb7L1yb1tux77q/MW6uIvwO77cgH

Score

10^/10

qakbot obama263 1684141535 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.1038

Botnet

obama263

Campaign

1684141535

103.140.174.20:2222

91.75.114.200:443

102.156.218.92:443

91.2.143.185:995

90.165.109.4:2222

85.152.152.46:443

182.185.181.202:995

65.190.242.244:443

122.186.210.254:443

58.162.223.233:443

98.145.23.67:443

41.186.88.38:443

139.226.47.229:995

12.172.173.82:993

197.148.17.17:2078

43.243.215.210:443

178.152.124.169:443

50.68.204.71:443

217.165.234.249:443

116.74.164.93:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4832	1172	WerFault.exe	83

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2248	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4968	PowerShell.exe
4968	PowerShell.exe
4968	PowerShell.exe
372	rundll32.exe
372	rundll32.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe
3116	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
372	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4968	PowerShell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 1172	4968	rundll32.exe	83
PID 4968 wrote to memory of 1172	4968	rundll32.exe	83
PID 4968 wrote to memory of 1172	4968	rundll32.exe	83
PID 4968 wrote to memory of 4752	4968	PowerShell.exe	101
PID 4968 wrote to memory of 4752	4968	PowerShell.exe	101
PID 4752 wrote to memory of 372	4752	rundll32.exe	102
PID 4752 wrote to memory of 372	4752	rundll32.exe	102
PID 4752 wrote to memory of 372	4752	rundll32.exe	102
PID 372 wrote to memory of 3116	372	rundll32.exe	103
PID 372 wrote to memory of 3116	372	rundll32.exe	103
PID 372 wrote to memory of 3116	372	rundll32.exe	103
PID 372 wrote to memory of 3116	372	rundll32.exe	103
PID 372 wrote to memory of 3116	372	rundll32.exe	103
PID 3116 wrote to memory of 2248	3116	wermgr.exe	104
PID 3116 wrote to memory of 2248	3116	wermgr.exe	104
PID 3116 wrote to memory of 2248	3116	wermgr.exe	104

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\aeaTJIW6xt.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\aeaTJIW6xt.dll,#1
  2⤵
  PID:1172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 600
    3⤵
    - Program crash
    PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1172 -ip 1172
1⤵
PID:1484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2492

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\AppData\Local\Temp'
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" .\aeaTJIW6xt.dll,print
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" .\aeaTJIW6xt.dll,print
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Windows\SysWOW64\wermgr.exe
      C:\Windows\SysWOW64\wermgr.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3116
    - - C:\Windows\SysWOW64\ping.exe
        
        ping -n 3 yahoo.com
        5⤵
        Runs ping.exe
        
        PID:2248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_midu5mpw.y1e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/372-155-0x0000000002A50000-0x0000000002A53000-memory.dmp

Filesize
12KB

Download
memory/372-156-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3116-170-0x0000000000570000-0x0000000000594000-memory.dmp

Filesize
144KB

Download
memory/3116-168-0x0000000000570000-0x0000000000594000-memory.dmp

Filesize
144KB

Download
memory/3116-167-0x0000000000570000-0x0000000000594000-memory.dmp

Filesize
144KB

Download
memory/3116-166-0x0000000000570000-0x0000000000594000-memory.dmp

Filesize
144KB

Download
memory/3116-165-0x0000000000570000-0x0000000000594000-memory.dmp

Filesize
144KB

Download
memory/3116-164-0x0000000000570000-0x0000000000594000-memory.dmp

Filesize
144KB

Download
memory/3116-163-0x0000000000570000-0x0000000000594000-memory.dmp

Filesize
144KB

Download
memory/3116-162-0x0000000000570000-0x0000000000594000-memory.dmp

Filesize
144KB

Download
memory/4968-148-0x0000013BECE70000-0x0000013BECE80000-memory.dmp

Filesize
64KB

Download
memory/4968-153-0x0000013BECE70000-0x0000013BECE80000-memory.dmp

Filesize
64KB

Download
memory/4968-152-0x0000013BECE70000-0x0000013BECE80000-memory.dmp

Filesize
64KB

Download
memory/4968-151-0x0000013BECE70000-0x0000013BECE80000-memory.dmp

Filesize
64KB

Download
memory/4968-150-0x0000013BECE50000-0x0000013BECE6E000-memory.dmp

Filesize
120KB

Download
memory/4968-149-0x0000013BED390000-0x0000013BED406000-memory.dmp

Filesize
472KB

Download
memory/4968-140-0x0000013BECD90000-0x0000013BECDB2000-memory.dmp

Filesize
136KB

Download
memory/4968-147-0x0000013BECE70000-0x0000013BECE80000-memory.dmp

Filesize
64KB

Download
memory/4968-146-0x0000013BECE70000-0x0000013BECE80000-memory.dmp

Filesize
64KB

Download
memory/4968-145-0x0000013BED2C0000-0x0000013BED304000-memory.dmp

Filesize
272KB

Download