qakbot | a36ebfb2e229494919fffd76be0a199da415fe826f0ead7a5766d44cfd6ab579

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/02/2024, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a36ebfb2e229494919fffd76be0a199da415fe826f0ead7a5766d44cfd6ab579.dll
Size

515KB
MD5

ee91b04ce7d49a76c987c4aa4e269300
SHA1

9ebae6f3c883c8d8d7f6c8b6b886105d910f9c1a
SHA256

a36ebfb2e229494919fffd76be0a199da415fe826f0ead7a5766d44cfd6ab579
SHA512

a150d9d688a0f6a6c2c52e75b62fd2c4bdcd4f1e432b27b090bcd458272de4c6f73e5adbf50acbe82b21aa99593efdd92354d47a7c24515d115a4e35311c7303
SSDEEP

12288:2VLOLbYx29jcKY/1Yj70xFqSgzHkuyEFDOwK:Syy2K120/bgzEuyEFC

Score

10^/10

qakbot aa 1648020400 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.549

Botnet

Campaign

1648020400

120.150.218.241:995

79.52.204.9:50001

161.142.56.8:443

93.48.80.198:995

81.60.216.223:995

1.161.80.99:443

2.34.12.8:443

113.11.89.170:995

74.15.2.252:2222

209.180.70.25:443

86.98.208.214:2222

189.146.51.56:443

203.122.46.130:443

190.73.3.148:2222

197.167.50.74:993

76.70.9.169:2222

75.99.168.194:443

76.69.155.202:2222

176.88.238.122:995

89.137.52.44:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	regsvr32.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2764	regsvr32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2764	1948	regsvr32.exe	28
PID 1948 wrote to memory of 2764	1948	regsvr32.exe	28
PID 1948 wrote to memory of 2764	1948	regsvr32.exe	28
PID 1948 wrote to memory of 2764	1948	regsvr32.exe	28
PID 1948 wrote to memory of 2764	1948	regsvr32.exe	28
PID 1948 wrote to memory of 2764	1948	regsvr32.exe	28
PID 1948 wrote to memory of 2764	1948	regsvr32.exe	28
PID 2764 wrote to memory of 1624	2764	regsvr32.exe	29
PID 2764 wrote to memory of 1624	2764	regsvr32.exe	29
PID 2764 wrote to memory of 1624	2764	regsvr32.exe	29
PID 2764 wrote to memory of 1624	2764	regsvr32.exe	29
PID 2764 wrote to memory of 1624	2764	regsvr32.exe	29
PID 2764 wrote to memory of 1624	2764	regsvr32.exe	29

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a36ebfb2e229494919fffd76be0a199da415fe826f0ead7a5766d44cfd6ab579.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\a36ebfb2e229494919fffd76be0a199da415fe826f0ead7a5766d44cfd6ab579.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1624-7-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/1624-10-0x0000000000080000-0x00000000000EC000-memory.dmp

Filesize
432KB

Download
memory/1624-11-0x0000000000080000-0x00000000000EC000-memory.dmp

Filesize
432KB

Download
memory/1624-12-0x0000000000080000-0x00000000000EC000-memory.dmp

Filesize
432KB

Download
memory/1624-13-0x0000000000080000-0x00000000000EC000-memory.dmp

Filesize
432KB

Download
memory/1624-14-0x0000000000080000-0x00000000000EC000-memory.dmp

Filesize
432KB

Download
memory/1624-16-0x0000000000080000-0x00000000000EC000-memory.dmp

Filesize
432KB

Download
memory/2764-0-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download
memory/2764-6-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download
memory/2764-9-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download