qakbot | 979e30ec1e402ede4b222830f8f61818b3811acbbc670cf7b8790b2a70444cd0

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2023 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

979e30ec1e402ede4b222830f8f61818b3811acbbc670cf7b8790b2a70444cd0.dll
Size

540KB
MD5

f361269dae9fe04123fcf35a99a627fb
SHA1

4b93e061f777368fd71eb979bfc3358a07e7d814
SHA256

979e30ec1e402ede4b222830f8f61818b3811acbbc670cf7b8790b2a70444cd0
SHA512

90930e541617687e4faa2e48f3f9eb6e99b35caad0948e3c2ff2e825557b3efe83e6521d4cd841f8852017b1768c2e7e64431efcaa5cf2d3067109d298188c49
SSDEEP

6144:X4dlVBTQZZ8G0rGyIENIFcmiNt19wJ+rD4bLU/GOMjaoz9VnRVt6YZNS6IO0pD1h:X4dp5GxGIID9sUHkaYhoYZNtIH3i2

Score

10^/10

qakbot bb20 1679552371 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.476

Botnet

BB20

Campaign

1679552371

86.225.214.138:2222

49.175.72.7:443

99.252.190.205:2222

102.158.63.36:443

92.186.69.229:2222

216.36.153.248:443

72.205.104.134:443

103.140.174.20:2222

98.145.23.67:443

124.246.122.199:2222

223.167.12.241:995

45.50.233.214:443

12.172.173.82:993

95.242.101.251:995

190.199.184.114:2222

2.82.8.80:443

104.35.24.154:443

184.176.35.223:2222

91.2.135.211:995

12.172.173.82:22

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
3536	rundll32.exe
3536	rundll32.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe
4876	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

3536 rundll32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4320 wrote to memory of 3536	4320	rundll32.exe	rundll32.exe
PID 4320 wrote to memory of 3536	4320	rundll32.exe	rundll32.exe
PID 4320 wrote to memory of 3536	4320	rundll32.exe	rundll32.exe
PID 3536 wrote to memory of 4876	3536	rundll32.exe	wermgr.exe
PID 3536 wrote to memory of 4876	3536	rundll32.exe	wermgr.exe
PID 3536 wrote to memory of 4876	3536	rundll32.exe	wermgr.exe
PID 3536 wrote to memory of 4876	3536	rundll32.exe	wermgr.exe
PID 3536 wrote to memory of 4876	3536	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\979e30ec1e402ede4b222830f8f61818b3811acbbc670cf7b8790b2a70444cd0.dll, GL70
1⤵
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\979e30ec1e402ede4b222830f8f61818b3811acbbc670cf7b8790b2a70444cd0.dll, GL70
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3536-133-0x00000000008E0000-0x0000000000969000-memory.dmp

Filesize
548KB

Download
memory/3536-134-0x0000000002140000-0x0000000002175000-memory.dmp

Filesize
212KB

Download
memory/3536-135-0x0000000002140000-0x0000000002175000-memory.dmp

Filesize
212KB

Download
memory/3536-136-0x0000000002140000-0x0000000002175000-memory.dmp

Filesize
212KB

Download
memory/4876-137-0x0000000000EA0000-0x0000000000ED5000-memory.dmp

Filesize
212KB

Download
memory/4876-138-0x0000000000EA0000-0x0000000000ED5000-memory.dmp

Filesize
212KB

Download
memory/4876-139-0x0000000000EA0000-0x0000000000ED5000-memory.dmp

Filesize
212KB

Download
memory/4876-140-0x0000000000EA0000-0x0000000000ED5000-memory.dmp

Filesize
212KB

Download
memory/4876-141-0x0000000000EA0000-0x0000000000ED5000-memory.dmp

Filesize
212KB

Download
memory/4876-143-0x0000000000EA0000-0x0000000000ED5000-memory.dmp

Filesize
212KB

Download
memory/4876-145-0x0000000000EA0000-0x0000000000ED5000-memory.dmp

Filesize
212KB

Download