qakbot | 1d10649bc628e0f03f3a7768f9621570e82dbf6613a748c31616cac545d56ad7

Analysis

max time kernel
120s
max time network
142s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a92ce7d7c8435e9f8d364ce3b98e725a.dll
Size

885KB
MD5

a92ce7d7c8435e9f8d364ce3b98e725a
SHA1

f4b36539b99d64e53ca37e0188f0f96f9aed2947
SHA256

1d10649bc628e0f03f3a7768f9621570e82dbf6613a748c31616cac545d56ad7
SHA512

7f208f9c5232184247af65c4f2c4201e1078edeb69919801206139e5babc2b18578a4ba50f4c9bd9b884e1b0f521c0b30c700494ab7b474f794a1c5c6d65aeda
SSDEEP

24576:2pj/R8I3y6ImvJUv0LUwghKna10N3dH3K:O/KWghQH6

Score

10^/10

qakbot tr 1632730751 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

Campaign

1632730751

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1720 wrote to memory of 2360	1720	rundll32.exe	rundll32.exe
PID 1720 wrote to memory of 2360	1720	rundll32.exe	rundll32.exe
PID 1720 wrote to memory of 2360	1720	rundll32.exe	rundll32.exe
PID 1720 wrote to memory of 2360	1720	rundll32.exe	rundll32.exe
PID 1720 wrote to memory of 2360	1720	rundll32.exe	rundll32.exe
PID 1720 wrote to memory of 2360	1720	rundll32.exe	rundll32.exe
PID 1720 wrote to memory of 2360	1720	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a92ce7d7c8435e9f8d364ce3b98e725a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a92ce7d7c8435e9f8d364ce3b98e725a.dll,#1
2⤵
PID:2360

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2360-0-0x00000000008D0000-0x00000000009B2000-memory.dmp

Filesize
904KB

Download
memory/2360-1-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2360-3-0x0000000000370000-0x0000000000391000-memory.dmp

Filesize
132KB

Download
memory/2360-2-0x0000000000370000-0x0000000000391000-memory.dmp

Filesize
132KB

Download
memory/2360-5-0x0000000000370000-0x0000000000391000-memory.dmp

Filesize
132KB

Download
memory/2360-6-0x0000000000260000-0x0000000000285000-memory.dmp

Filesize
148KB

Download
memory/2360-8-0x0000000000260000-0x0000000000285000-memory.dmp

Filesize
148KB

Download
memory/2360-7-0x00000000008D0000-0x00000000009B2000-memory.dmp

Filesize
904KB

Download