qakbot | a27df79ba5f04d6a09189e6d01c301e6ddbf082c67c2853ec2f4bbfdf2b51a56

Analysis

max time kernel
64s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-02-2024 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a27df79ba5f04d6a09189e6d01c301e6ddbf082c67c2853ec2f4bbfdf2b51a56.dll
Size

1.5MB
MD5

e1dbda07124bece1d5d847715c28afbc
SHA1

95bb7058f29ddcec37aaaa0e3348e30361e86d38
SHA256

a27df79ba5f04d6a09189e6d01c301e6ddbf082c67c2853ec2f4bbfdf2b51a56
SHA512

c07332e92435dc83b4aa8368f041d873f22e7977658027a8085da7bf96d47352b1e11ff6cca52517790da08493e21f43d8b8f2314a6f775ad3555b2faf01b3ee
SSDEEP

24576:c/LFmDoE1Zjaqi/3ymfSBjDHubkX0YuSw7zMYQ0a4lFbp:cjivD9EimfEuYXXuSoWx+

Score

10^/10

qakbot aa 1651135890 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.573

Botnet

Campaign

1651135890

149.135.101.20:443

103.139.243.207:990

1.161.104.149:995

185.249.85.175:443

113.89.5.252:995

202.134.152.2:2222

41.107.132.203:443

191.250.245.193:443

117.248.109.38:21

86.195.158.178:2222

71.13.93.154:2222

45.9.20.200:443

103.87.95.133:2222

173.174.216.62:443

187.58.79.229:993

203.122.46.130:443

32.221.224.140:995

175.145.235.37:443

81.155.87.247:2078

140.82.63.183:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
3944	4140	WerFault.exe	84

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 4916 wrote to memory of 4140	4916	rundll32.exe	84
PID 4916 wrote to memory of 4140	4916	rundll32.exe	84
PID 4916 wrote to memory of 4140	4916	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a27df79ba5f04d6a09189e6d01c301e6ddbf082c67c2853ec2f4bbfdf2b51a56.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a27df79ba5f04d6a09189e6d01c301e6ddbf082c67c2853ec2f4bbfdf2b51a56.dll,#1
  2⤵
  PID:4140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 684
    3⤵
    - Program crash
    PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4140 -ip 4140
1⤵
PID:3940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4140-0-0x0000000000D60000-0x0000000000EDC000-memory.dmp

Filesize
1.5MB

Download
memory/4140-1-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/4140-2-0x0000000002940000-0x00000000029CA000-memory.dmp

Filesize
552KB

Download
memory/4140-3-0x0000000002A60000-0x0000000002AEF000-memory.dmp

Filesize
572KB

Download
memory/4140-6-0x0000000002A60000-0x0000000002AEF000-memory.dmp

Filesize
572KB

Download
memory/4140-4-0x0000000002A60000-0x0000000002AEF000-memory.dmp

Filesize
572KB

Download
memory/4140-7-0x0000000000D60000-0x0000000000EDC000-memory.dmp

Filesize
1.5MB

Download
memory/4140-8-0x0000000002940000-0x00000000029CA000-memory.dmp

Filesize
552KB

Download