qakbot | a5bc0cd5d00f106956ae962aaddf631a4fc5fc4da24b36fa2518d1a9700a6f63

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-02-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5bc0cd5d00f106956ae962aaddf631a4fc5fc4da24b36fa2518d1a9700a6f63.dll
Size

875KB
MD5

35a7ed73981b4608879a56617e05d1e4
SHA1

aa05bdd339e484d3e701084a069ffebc7a5c534d
SHA256

a5bc0cd5d00f106956ae962aaddf631a4fc5fc4da24b36fa2518d1a9700a6f63
SHA512

4d38ffda1c385d08c4e581597fb5813fa8fe41570418793b5df6ed1e882c97187f127ef3947ea45fb0bb2ac3a0ca32d37151004b1c64168808641c465d80c559
SSDEEP

12288:MvdyMlRePlWuktyda+/egKRuCQ1X8eLQRNGoDTStoMsaD2F1PrIGCn:GnlRxuwTI4BqMeGNruaVa6FZCn

Score

10^/10

qakbot aa 1648462350 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.549

Botnet

Campaign

1648462350

75.113.214.234:2222

86.98.208.214:2222

41.84.229.218:995

190.73.3.148:2222

113.11.89.170:995

45.241.152.155:993

74.15.2.252:2222

76.70.9.169:2222

103.139.242.30:993

80.11.74.81:2222

105.186.127.127:995

81.60.217.44:995

79.129.121.68:995

75.99.168.194:443

5.95.58.211:2087

129.208.19.253:995

2.34.12.8:443

108.60.213.141:443

176.67.56.94:443

176.88.238.122:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
740	1132	WerFault.exe	42

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 4960 wrote to memory of 1132	4960	rundll32.exe	42
PID 4960 wrote to memory of 1132	4960	rundll32.exe	42
PID 4960 wrote to memory of 1132	4960	rundll32.exe	42

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a5bc0cd5d00f106956ae962aaddf631a4fc5fc4da24b36fa2518d1a9700a6f63.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a5bc0cd5d00f106956ae962aaddf631a4fc5fc4da24b36fa2518d1a9700a6f63.dll,#1
  2⤵
  PID:1132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 668
    3⤵
    - Program crash
    PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1132 -ip 1132
1⤵
PID:3992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1132-0-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/1132-1-0x0000000002E00000-0x0000000002E68000-memory.dmp

Filesize
416KB

Download
memory/1132-2-0x0000000002EE0000-0x0000000002F4C000-memory.dmp

Filesize
432KB

Download
memory/1132-3-0x0000000002EE0000-0x0000000002F4C000-memory.dmp

Filesize
432KB

Download
memory/1132-5-0x0000000002EE0000-0x0000000002F4C000-memory.dmp

Filesize
432KB

Download
memory/1132-6-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1132-7-0x0000000002E00000-0x0000000002E68000-memory.dmp

Filesize
416KB

Download