qakbot | b69d373340bdd8dde8c718286c5f2bb8e1bbfc0c817f0fc7d5b1b712e4ef85ff

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8538019c513379a092104fa35dfd5d76_JaffaCakes118.dll
Size

662KB
MD5

8538019c513379a092104fa35dfd5d76
SHA1

f524fea3b2f880359c2ed44453e5515c9f99cefe
SHA256

b69d373340bdd8dde8c718286c5f2bb8e1bbfc0c817f0fc7d5b1b712e4ef85ff
SHA512

5c3ed2a46507d7fa797a61ac54085a206dac66014a8e1b7217b134fd640f53c7d23c04e4f1f368aac27417262118dbb450bf979aa1fffa4dedd5b780b362cf1e
SSDEEP

12288:Nq2QnkzDxeIiGD1EWh1KFxBPuH+3AS58O7A6xIjh2gUv:NzQnkBnT5EWh1KFfuHWAS58O7AQ

Score

10^/10

qakbot tr 1632730751 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

Campaign

1632730751

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1828 2040 WerFault.exe regsvr32.exe

pid	pid_target	process	target process
1828	2040	WerFault.exe	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 4744 wrote to memory of 2040	4744	regsvr32.exe	regsvr32.exe
PID 4744 wrote to memory of 2040	4744	regsvr32.exe	regsvr32.exe
PID 4744 wrote to memory of 2040	4744	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8538019c513379a092104fa35dfd5d76_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\8538019c513379a092104fa35dfd5d76_JaffaCakes118.dll
2⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1004
3⤵
- Program crash
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2040 -ip 2040
1⤵
PID:1728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2040-0-0x0000000010000000-0x0000000010175000-memory.dmp

Filesize
1.5MB

Download
memory/2040-1-0x0000000010000000-0x0000000010175000-memory.dmp

Filesize
1.5MB

Download
memory/2040-2-0x0000000010000000-0x0000000010175000-memory.dmp

Filesize
1.5MB

Download