qakbot | userapi[.]dll

Sharing

Copy URL

Twitter E-mail

General

Target

userapi.dll
Size

167KB
MD5

ce75519a7d251a187dbd7e72b53b093a
SHA1

fa103591148ab8478a84ce25db28ece2e678bd02
SHA256

59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35
SHA512

d40da7049f41ddb6b2e6bb751405385256fd9465101ebcf7af8441f8ffa4733df8528ea6312ca6c3d7e57b1365c4c472215865b978f17ccd11deb13b8bdbf5c8
SSDEEP

3072:GeWBsy+tW4we6Ygz5vEEFV6Q+S19N+sqoi7geA7y9utB5t:GeWBsRE/dYw5FMkj+sNiTA7ptB

Score

10^/10

qakbot

Malware Config

Signatures

Detect Qakbot Payload 1 IoCs

resource	yara_rule
sample	family_qakbot_v5

Qakbot family
qakbot

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
userapi.dll

Files

userapi.dll
.dll windows:6 windows x64 arch:x64

a5864330cc4bfd0882fb2f3679901037

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

msvcrt

strcmp
_snprintf
_errno
memset
_vsnprintf
_strtoi64
memchr
_time64
strncpy
strchr
strtod
localeconv
_vsnwprintf
qsort
atol
memcpy

kernel32

SetFileAttributesW
GetTickCount
SetThreadPriority
FlushFileBuffers
LocalAlloc
GetExitCodeProcess
GetFileAttributesW
MultiByteToWideChar
SetCurrentDirectoryA
Sleep
lstrcmpiW
GetDriveTypeW
GetLastError
CreateDirectoryW
lstrcatA
lstrcmpA
CreateMutexW
GetCurrentThread
GetProcessId
GetNumberFormatA
DisconnectNamedPipe
MoveFileW
ExitThread
GetCurrentProcessId
SwitchToThread
GetModuleHandleA
GetProcAddress
HeapCreate
HeapFree
HeapAlloc
LoadLibraryA
GetCurrentProcess
lstrcatW
WideCharToMultiByte
FindFirstFileW
FindNextFileW
GetSystemTimeAsFileTime
lstrlenW
LoadLibraryW
FreeLibrary
GetCommandLineW
GetVersionExA
GetSystemInfo
GetCurrentDirectoryW
GetWindowsDirectoryW

user32

CharUpperBuffA
CharUpperBuffW

shell32

CommandLineToArgvW

ole32

CoCreateInstance
CoInitializeEx
CoSetProxyBlanket
CoInitializeSecurity

oleaut32

SafeArrayGetLBound
SafeArrayGetElement
SafeArrayGetUBound
SafeArrayDestroy
VariantClear
SysFreeString
SysAllocString

Exports

Exports

checkit

Sections

.text
Size: 127KB - Virtual size: 126KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 68B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a5864330cc4bfd0882fb2f3679901037

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

kernel32

user32

shell32

ole32

oleaut32

Exports

Exports

Sections

.text Size: 127KB - Virtual size: 126KB

.rdata Size: 21KB - Virtual size: 20KB

.data Size: 12KB - Virtual size: 17KB

.pdata Size: 5KB - Virtual size: 5KB

.reloc Size: 512B - Virtual size: 68B

.text
Size: 127KB - Virtual size: 126KB

.rdata
Size: 21KB - Virtual size: 20KB

.data
Size: 12KB - Virtual size: 17KB

.pdata
Size: 5KB - Virtual size: 5KB

.reloc
Size: 512B - Virtual size: 68B