qakbot | 81e49a38bf964c207c561656295ec4d349c40239342fa59ed761cb4efad9490d

Analysis

max time kernel
79s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16/06/2023, 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4000hz.dll
Size

1.2MB
MD5

3106a030a6f3083be7e5809727687e4b
SHA1

dcf81a4b10c7d6122fc68253172fef4cf59aebbf
SHA256

81e49a38bf964c207c561656295ec4d349c40239342fa59ed761cb4efad9490d
SHA512

395e086eb3dee1823c2dc2a608bde147387185a889207212c3c9cc29d092ac623ea572c83753deb52d581bfabc3e354a263474a8e2b5669ea4b4b1741eef297a
SSDEEP

24576:KGSbIuGSom9C0k1HH1cqj06uPi2bro8nuuDYmc1WpFgiYnGn6AW:Kf8r9W01Gn6

Score

10^/10

qakbot bb32 1686908761 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.1374

Botnet

BB32

Campaign

1686908761

86.176.144.175:2222

86.248.228.57:2078

88.171.156.150:50000

183.87.163.165:443

45.201.208.87:443

74.12.147.205:2222

96.87.28.170:2222

70.28.50.223:32100

220.79.238.82:443

12.172.173.82:995

45.2.61.134:3389

70.160.67.203:443

103.141.50.45:995

88.126.94.4:50000

70.28.50.223:3389

142.181.206.222:2222

51.37.181.9:443

223.166.13.95:995

162.248.14.107:443

95.45.50.93:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
1168	rundll32.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe
864	wermgr.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1168	2044	rundll32.exe	28
PID 2044 wrote to memory of 1168	2044	rundll32.exe	28
PID 2044 wrote to memory of 1168	2044	rundll32.exe	28
PID 2044 wrote to memory of 1168	2044	rundll32.exe	28
PID 2044 wrote to memory of 1168	2044	rundll32.exe	28
PID 2044 wrote to memory of 1168	2044	rundll32.exe	28
PID 2044 wrote to memory of 1168	2044	rundll32.exe	28
PID 1168 wrote to memory of 864	1168	rundll32.exe	29
PID 1168 wrote to memory of 864	1168	rundll32.exe	29
PID 1168 wrote to memory of 864	1168	rundll32.exe	29
PID 1168 wrote to memory of 864	1168	rundll32.exe	29
PID 1168 wrote to memory of 864	1168	rundll32.exe	29
PID 1168 wrote to memory of 864	1168	rundll32.exe	29
PID 1168 wrote to memory of 864	1168	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4000hz.dll,must
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4000hz.dll,must
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/864-61-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/864-60-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/864-67-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/864-68-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/864-69-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/864-70-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/864-71-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/1168-54-0x0000000000180000-0x0000000000183000-memory.dmp

Filesize
12KB

Download
memory/1168-55-0x00000000001F0000-0x0000000000214000-memory.dmp

Filesize
144KB

Download