qakbot | a36ebfb2e229494919fffd76be0a199da415fe826f0ead7a5766d44cfd6ab579

Analysis

max time kernel
152s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-02-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a36ebfb2e229494919fffd76be0a199da415fe826f0ead7a5766d44cfd6ab579.dll
Size

515KB
MD5

ee91b04ce7d49a76c987c4aa4e269300
SHA1

9ebae6f3c883c8d8d7f6c8b6b886105d910f9c1a
SHA256

a36ebfb2e229494919fffd76be0a199da415fe826f0ead7a5766d44cfd6ab579
SHA512

a150d9d688a0f6a6c2c52e75b62fd2c4bdcd4f1e432b27b090bcd458272de4c6f73e5adbf50acbe82b21aa99593efdd92354d47a7c24515d115a4e35311c7303
SSDEEP

12288:2VLOLbYx29jcKY/1Yj70xFqSgzHkuyEFDOwK:Syy2K120/bgzEuyEFC

Score

10^/10

qakbot aa 1648020400 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.549

Botnet

Campaign

1648020400

120.150.218.241:995

79.52.204.9:50001

161.142.56.8:443

93.48.80.198:995

81.60.216.223:995

1.161.80.99:443

2.34.12.8:443

113.11.89.170:995

74.15.2.252:2222

209.180.70.25:443

86.98.208.214:2222

189.146.51.56:443

203.122.46.130:443

190.73.3.148:2222

197.167.50.74:993

76.70.9.169:2222

75.99.168.194:443

76.69.155.202:2222

176.88.238.122:995

89.137.52.44:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exeexplorer.exe

pid	process
1980	regsvr32.exe
1980	regsvr32.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

1980 regsvr32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1976 wrote to memory of 1980	1976	regsvr32.exe	regsvr32.exe
PID 1976 wrote to memory of 1980	1976	regsvr32.exe	regsvr32.exe
PID 1976 wrote to memory of 1980	1976	regsvr32.exe	regsvr32.exe
PID 1980 wrote to memory of 2012	1980	regsvr32.exe	explorer.exe
PID 1980 wrote to memory of 2012	1980	regsvr32.exe	explorer.exe
PID 1980 wrote to memory of 2012	1980	regsvr32.exe	explorer.exe
PID 1980 wrote to memory of 2012	1980	regsvr32.exe	explorer.exe
PID 1980 wrote to memory of 2012	1980	regsvr32.exe	explorer.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a36ebfb2e229494919fffd76be0a199da415fe826f0ead7a5766d44cfd6ab579.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\a36ebfb2e229494919fffd76be0a199da415fe826f0ead7a5766d44cfd6ab579.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1980-0-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download
memory/1980-6-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download
memory/1980-8-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download
memory/2012-7-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2012-9-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2012-10-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2012-11-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2012-12-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/2012-14-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download