qakbot | d2b4f004d88fa1aa8e075ceeb4dc785fcbfb16d5297c7a2e5d36d653fe77d853

Resubmissions

20-03-2024 20:50

240320-zmt8naag35 10

13-10-2022 11:50

221013-nzp9pache4 10

01-10-2022 01:58

221001-cd4peagcfn 10

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2024 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

assaulting/milt.dll
Size

448KB
MD5

24c89f5383c6dca654f27383b1ec00a3
SHA1

7766a0a045e56fe16fb5b9e0c5d7c1d047eb36c6
SHA256

bb2540e27de2b8d3d154fee3efa8e2cbefdf25e5a1d76b4cedf49ac3917a1471
SHA512

58bffa71d6be31e136c220828ba0565a7e9231e363804beefc66f47653cf80af94bcc5c221444e6f7f1707dbe915279d67c77592ccedc2d5f09b29bc62f39eb3
SSDEEP

6144:NWlZhgoMdtBYTNSlWBsAOvbd62IYQ8jjHH62uzdMzD9699o9:cl3goMdrbdJ6wQ8faVO099o

Score

10^/10

qakbot bb 1664535088 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.902

Botnet

Campaign

1664535088

41.107.71.201:443

105.101.230.16:443

105.108.239.60:443

196.64.227.5:8443

41.249.158.221:995

134.35.14.5:443

113.170.117.251:443

187.193.219.248:443

122.166.244.116:443

154.237.129.123:995

41.98.229.81:443

186.48.199.243:995

102.156.3.13:443

41.97.190.189:443

197.207.191.164:443

105.184.14.132:995

196.207.146.151:443

105.158.113.15:443

196.89.42.89:995

86.98.156.229:993

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exewermgr.exe

pid	process
2696	regsvr32.exe
2696	regsvr32.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe
1816	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

2696 regsvr32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3956 wrote to memory of 2696	3956	regsvr32.exe	regsvr32.exe
PID 3956 wrote to memory of 2696	3956	regsvr32.exe	regsvr32.exe
PID 3956 wrote to memory of 2696	3956	regsvr32.exe	regsvr32.exe
PID 2696 wrote to memory of 1816	2696	regsvr32.exe	wermgr.exe
PID 2696 wrote to memory of 1816	2696	regsvr32.exe	wermgr.exe
PID 2696 wrote to memory of 1816	2696	regsvr32.exe	wermgr.exe
PID 2696 wrote to memory of 1816	2696	regsvr32.exe	wermgr.exe
PID 2696 wrote to memory of 1816	2696	regsvr32.exe	wermgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\assaulting\milt.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\assaulting\milt.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1816-3-0x0000000000BD0000-0x0000000000BF2000-memory.dmp

Filesize
136KB

Download
memory/1816-7-0x0000000000BD0000-0x0000000000BF2000-memory.dmp

Filesize
136KB

Download
memory/1816-8-0x0000000000BD0000-0x0000000000BF2000-memory.dmp

Filesize
136KB

Download
memory/1816-9-0x0000000000BD0000-0x0000000000BF2000-memory.dmp

Filesize
136KB

Download
memory/1816-10-0x0000000000BD0000-0x0000000000BF2000-memory.dmp

Filesize
136KB

Download
memory/1816-11-0x0000000000BD0000-0x0000000000BF2000-memory.dmp

Filesize
136KB

Download
memory/1816-13-0x0000000000BD0000-0x0000000000BF2000-memory.dmp

Filesize
136KB

Download
memory/1816-15-0x0000000000BD0000-0x0000000000BF2000-memory.dmp

Filesize
136KB

Download
memory/2696-2-0x0000000002E50000-0x0000000002E72000-memory.dmp

Filesize
136KB

Download
memory/2696-0-0x0000000002E00000-0x0000000002E42000-memory.dmp

Filesize
264KB

Download
memory/2696-4-0x0000000002E50000-0x0000000002E72000-memory.dmp

Filesize
136KB

Download
memory/2696-5-0x0000000002E00000-0x0000000002E42000-memory.dmp

Filesize
264KB

Download