qakbot | 41da9355b1137296861187c51515f019cb358ce493136c54a60d1c1d8bf98ed9

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-06-2023 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41da9355b1137296861187c51515f019cb358ce493136c54a60d1c1d8bf98ed9.dll
Size

1.1MB
MD5

fde3e9bb6886fcf55a2c6e13f87967b8
SHA1

706f36fcc8e4c40da57092c0d22ed8d047b3399a
SHA256

41da9355b1137296861187c51515f019cb358ce493136c54a60d1c1d8bf98ed9
SHA512

3106864317600d3424e18d062d069e60d4d48c3d0a05cd8ee5d4c632d02a07a00ab5236aa68c8bfb978d8cdf6a4ba7193a3044e23edc22dedd3cd18c2d544f09
SSDEEP

24576:N/QKBLJ2TutS+yAFHBdfuwufXJFeZahuC9T6r57hoYNtwj:eRgqLMZc9TY57Oetwj

Score

10^/10

qakbot bb20 1679552371 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.476

Botnet

BB20

Campaign

1679552371

86.225.214.138:2222

49.175.72.7:443

99.252.190.205:2222

102.158.63.36:443

92.186.69.229:2222

216.36.153.248:443

72.205.104.134:443

103.140.174.20:2222

98.145.23.67:443

124.246.122.199:2222

223.167.12.241:995

45.50.233.214:443

12.172.173.82:993

95.242.101.251:995

190.199.184.114:2222

2.82.8.80:443

104.35.24.154:443

184.176.35.223:2222

91.2.135.211:995

12.172.173.82:22

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
2004	rundll32.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe
588	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

2004 rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1232 wrote to memory of 2004	1232	rundll32.exe	rundll32.exe
PID 1232 wrote to memory of 2004	1232	rundll32.exe	rundll32.exe
PID 1232 wrote to memory of 2004	1232	rundll32.exe	rundll32.exe
PID 1232 wrote to memory of 2004	1232	rundll32.exe	rundll32.exe
PID 1232 wrote to memory of 2004	1232	rundll32.exe	rundll32.exe
PID 1232 wrote to memory of 2004	1232	rundll32.exe	rundll32.exe
PID 1232 wrote to memory of 2004	1232	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 588	2004	rundll32.exe	wermgr.exe
PID 2004 wrote to memory of 588	2004	rundll32.exe	wermgr.exe
PID 2004 wrote to memory of 588	2004	rundll32.exe	wermgr.exe
PID 2004 wrote to memory of 588	2004	rundll32.exe	wermgr.exe
PID 2004 wrote to memory of 588	2004	rundll32.exe	wermgr.exe
PID 2004 wrote to memory of 588	2004	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\41da9355b1137296861187c51515f019cb358ce493136c54a60d1c1d8bf98ed9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\41da9355b1137296861187c51515f019cb358ce493136c54a60d1c1d8bf98ed9.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:588

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-63-0x00000000000C0000-0x00000000000F5000-memory.dmp

Filesize
212KB

Download
memory/588-57-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/588-59-0x00000000000C0000-0x00000000000F5000-memory.dmp

Filesize
212KB

Download
memory/588-61-0x00000000000C0000-0x00000000000F5000-memory.dmp

Filesize
212KB

Download
memory/588-62-0x00000000000C0000-0x00000000000F5000-memory.dmp

Filesize
212KB

Download
memory/588-64-0x00000000000C0000-0x00000000000F5000-memory.dmp

Filesize
212KB

Download
memory/588-65-0x00000000000C0000-0x00000000000F5000-memory.dmp

Filesize
212KB

Download
memory/588-67-0x00000000000C0000-0x00000000000F5000-memory.dmp

Filesize
212KB

Download
memory/2004-55-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2004-56-0x0000000000870000-0x00000000008A5000-memory.dmp

Filesize
212KB

Download
memory/2004-58-0x0000000000870000-0x00000000008A5000-memory.dmp

Filesize
212KB

Download
memory/2004-60-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2004-54-0x0000000000870000-0x00000000008A5000-memory.dmp

Filesize
212KB

Download