qakbot | a62009076fdd3089159cf06d4e5fecac4841ec41a4b15afba25ac419b9f81c2b

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-02-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a62009076fdd3089159cf06d4e5fecac4841ec41a4b15afba25ac419b9f81c2b.dll
Size

950KB
MD5

bde3f7d2e64d64ab37c438a8ed940040
SHA1

5d517917c448323fbcff9e89a0a4976fa8163e51
SHA256

a62009076fdd3089159cf06d4e5fecac4841ec41a4b15afba25ac419b9f81c2b
SHA512

450767f692d66f45c8e1c4da2f45917b00d47d1fe81aa29e8afc1a8299d5238a2e0df2d113f5d475fc096439935280ac8f8f3e7e2bfd8df716b55d161b8bb280
SSDEEP

24576:XkTptLPTzYt/9YIck3BCQpTSoFNMKD8W:0DQZJ3f7MKr

Score

10^/10

qakbot obama177 1650443077 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.573

Botnet

obama177

Campaign

1650443077

47.23.89.62:993

2.50.4.57:443

172.114.160.81:443

75.99.168.194:443

108.60.213.141:443

180.183.134.56:2222

190.73.3.148:2222

202.134.152.2:2222

84.241.8.23:32103

24.43.99.75:443

203.122.46.130:443

117.248.109.38:21

74.15.2.252:2222

1.161.67.235:995

103.116.178.85:995

38.70.253.226:2222

47.23.89.62:995

148.64.96.100:443

86.98.156.198:993

187.207.47.198:61202

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2688 2228 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2688	2228	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2212 wrote to memory of 2228	2212	rundll32.exe	rundll32.exe
PID 2212 wrote to memory of 2228	2212	rundll32.exe	rundll32.exe
PID 2212 wrote to memory of 2228	2212	rundll32.exe	rundll32.exe
PID 2212 wrote to memory of 2228	2212	rundll32.exe	rundll32.exe
PID 2212 wrote to memory of 2228	2212	rundll32.exe	rundll32.exe
PID 2212 wrote to memory of 2228	2212	rundll32.exe	rundll32.exe
PID 2212 wrote to memory of 2228	2212	rundll32.exe	rundll32.exe
PID 2228 wrote to memory of 2688	2228	rundll32.exe	WerFault.exe
PID 2228 wrote to memory of 2688	2228	rundll32.exe	WerFault.exe
PID 2228 wrote to memory of 2688	2228	rundll32.exe	WerFault.exe
PID 2228 wrote to memory of 2688	2228	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a62009076fdd3089159cf06d4e5fecac4841ec41a4b15afba25ac419b9f81c2b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a62009076fdd3089159cf06d4e5fecac4841ec41a4b15afba25ac419b9f81c2b.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 308
3⤵
- Program crash
PID:2688

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2228-0-0x0000000001F40000-0x0000000002032000-memory.dmp

Filesize
968KB

Download
memory/2228-1-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2228-2-0x0000000002040000-0x00000000020CF000-memory.dmp

Filesize
572KB

Download
memory/2228-4-0x00000000009A0000-0x0000000000A2A000-memory.dmp

Filesize
552KB

Download
memory/2228-3-0x0000000002040000-0x00000000020CF000-memory.dmp

Filesize
572KB

Download
memory/2228-6-0x0000000002040000-0x00000000020CF000-memory.dmp

Filesize
572KB

Download
memory/2228-7-0x0000000001F40000-0x0000000002032000-memory.dmp

Filesize
968KB

Download
memory/2228-9-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2228-10-0x00000000009A0000-0x0000000000A2A000-memory.dmp

Filesize
552KB

Download