qakbot | 1267da257994e424d5a3c7c431898ec2c7c748b354f231ebb07e5e4ccaa0eafc

General

Target

1267da257994e424d5a3c7c431898ec2c7c748b354f231ebb07e5e4ccaa0eafc.dll
Size

314KB
MD5

30a2fde7780e4928490777897af72057
SHA1

a6755dbc251fddb523e1d8762040108aa5198f8e
SHA256

1267da257994e424d5a3c7c431898ec2c7c748b354f231ebb07e5e4ccaa0eafc
SHA512

89da2592e70ba74a7e96f213dfa13c67085cd03cd2e763e404338d174d09de2e7dafce77c663056e9cf3a966e527bcb8fc20a2a8e8dd0ac316c9dc95b08e9be0
SSDEEP

6144:VXMURcNLpyXU9W5rulKJQ8n7fgK3RnHV2HoS:BN2NNyXUXM7fgK3RnHV2HoS

Score

10^/10

qakbot bb24 1681985211 banker stealer trojan upx

Malware Config

Extracted

Family

qakbot

Version

404.1001

Botnet

BB24

Campaign

1681985211

C2

12.172.173.82:20

187.199.85.154:32103

96.56.197.26:2078

197.1.229.119:443

90.104.151.37:2222

90.55.106.37:2222

92.186.69.229:2222

92.136.62.50:2222

70.112.206.5:443

77.126.185.173:443

96.56.197.26:2083

89.36.206.220:995

93.150.183.229:2222

45.246.235.177:995

92.9.45.20:2222

92.154.17.149:2222

88.126.94.4:50000

176.202.45.209:443

91.35.212.133:995

12.172.173.82:50001

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5100-0-0x0000000063A80000-0x0000000063B63000-memory.dmp	upx
behavioral2/memory/5100-12-0x0000000063A80000-0x0000000063B63000-memory.dmp	upx

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

ping.exe

pid process

528 ping.exe

pid	process
528	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
5100	rundll32.exe
5100	rundll32.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe
1272	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

5100 rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exewermgr.exe

description	pid	process	target process
PID 4052 wrote to memory of 5100	4052	rundll32.exe	rundll32.exe
PID 4052 wrote to memory of 5100	4052	rundll32.exe	rundll32.exe
PID 4052 wrote to memory of 5100	4052	rundll32.exe	rundll32.exe
PID 5100 wrote to memory of 1272	5100	rundll32.exe	wermgr.exe
PID 5100 wrote to memory of 1272	5100	rundll32.exe	wermgr.exe
PID 5100 wrote to memory of 1272	5100	rundll32.exe	wermgr.exe
PID 5100 wrote to memory of 1272	5100	rundll32.exe	wermgr.exe
PID 5100 wrote to memory of 1272	5100	rundll32.exe	wermgr.exe
PID 1272 wrote to memory of 528	1272	wermgr.exe	ping.exe
PID 1272 wrote to memory of 528	1272	wermgr.exe	ping.exe
PID 1272 wrote to memory of 528	1272	wermgr.exe	ping.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1267da257994e424d5a3c7c431898ec2c7c748b354f231ebb07e5e4ccaa0eafc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1267da257994e424d5a3c7c431898ec2c7c748b354f231ebb07e5e4ccaa0eafc.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\ping.exe
ping -n 3 yahoo.com
4⤵
- Runs ping.exe
PID:528

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1272-13-0x0000000000C90000-0x0000000000CB4000-memory.dmp

Filesize
144KB

Download
memory/1272-14-0x0000000000C90000-0x0000000000CB4000-memory.dmp

Filesize
144KB

Download
memory/1272-20-0x0000000000C90000-0x0000000000CB4000-memory.dmp

Filesize
144KB

Download
memory/1272-18-0x0000000000C90000-0x0000000000CB4000-memory.dmp

Filesize
144KB

Download
memory/1272-8-0x0000000000C90000-0x0000000000CB4000-memory.dmp

Filesize
144KB

Download
memory/1272-9-0x0000000000C90000-0x0000000000CB4000-memory.dmp

Filesize
144KB

Download
memory/1272-16-0x0000000000C90000-0x0000000000CB4000-memory.dmp

Filesize
144KB

Download
memory/1272-15-0x0000000000C90000-0x0000000000CB4000-memory.dmp

Filesize
144KB

Download
memory/1272-11-0x0000000000C90000-0x0000000000CB4000-memory.dmp

Filesize
144KB

Download
memory/5100-0-0x0000000063A80000-0x0000000063B63000-memory.dmp

Filesize
908KB

Download
memory/5100-10-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/5100-12-0x0000000063A80000-0x0000000063B63000-memory.dmp

Filesize
908KB

Download
memory/5100-1-0x0000000002090000-0x0000000002093000-memory.dmp

Filesize
12KB

Download
memory/5100-7-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/5100-2-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads