qakbot | 362978ed1c1eec5ff19b744601e082a2[.]bin

Sharing

Copy URL

Twitter E-mail

General

Target

362978ed1c1eec5ff19b744601e082a2.bin
Size

99KB
MD5

268eef2cf46ce87135c90c6948e3d673
SHA1

4bc1d6a108250f52d819b70992493a3a80df381a
SHA256

1aa8e55ceec841c7ca088da6fc3e018ebc265bfd3ce85cae0339106143800186
SHA512

1cdfbfcd1eecb0ec62456923369b2353aafacf14fb9057dacad7d4fcded828705742fff7b7fe7524397e9287ef90182b55e56b049943a3236d0a2cb3039215e1
SSDEEP

1536:ErsYCV7bwLn7iWpWUy1AUDs/RDIrfSUeJSat1v+zar1VYrOBZCiLW6wowdc:8s7bwLnWVUVJa5eJSaHvj3DzW8

Score

10^/10

qakbot

Malware Config

Signatures

Detect Qakbot Payload 1 IoCs

Processes:

resource	yara_rule
static1/unpack001/af6a9b7e7aefeb903c76417ed2b8399b73657440ad5f8b48a25cfe5e97ff868f.exe	family_qakbot_v5

Qakbot family
qakbot

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/af6a9b7e7aefeb903c76417ed2b8399b73657440ad5f8b48a25cfe5e97ff868f.exe

Files

362978ed1c1eec5ff19b744601e082a2.bin
.zip

Password: infected
af6a9b7e7aefeb903c76417ed2b8399b73657440ad5f8b48a25cfe5e97ff868f.exe
.dll windows:6 windows x64 arch:x64

Password: infected

a5864330cc4bfd0882fb2f3679901037

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

msvcrt

strcmp
_snprintf
_errno
memset
_vsnprintf
_strtoi64
memchr
_time64
strncpy
strchr
strtod
localeconv
_vsnwprintf
qsort
atol
memcpy

kernel32

SetFileAttributesW
GetTickCount
SetThreadPriority
FlushFileBuffers
LocalAlloc
GetExitCodeProcess
GetFileAttributesW
MultiByteToWideChar
SetCurrentDirectoryA
Sleep
lstrcmpiW
GetDriveTypeW
GetLastError
CreateDirectoryW
lstrcatA
lstrcmpA
CreateMutexW
GetCurrentThread
GetProcessId
GetNumberFormatA
DisconnectNamedPipe
MoveFileW
ExitThread
GetCurrentProcessId
SwitchToThread
GetModuleHandleA
GetProcAddress
HeapCreate
HeapFree
HeapAlloc
LoadLibraryA
GetCurrentProcess
lstrcatW
WideCharToMultiByte
FindFirstFileW
FindNextFileW
GetSystemTimeAsFileTime
lstrlenW
LoadLibraryW
FreeLibrary
GetCommandLineW
GetVersionExA
GetSystemInfo
GetCurrentDirectoryW
GetWindowsDirectoryW

user32

CharUpperBuffA
CharUpperBuffW

shell32

CommandLineToArgvW

ole32

CoCreateInstance
CoInitializeEx
CoSetProxyBlanket
CoInitializeSecurity

oleaut32

SafeArrayGetLBound
SafeArrayGetElement
SafeArrayGetUBound
SafeArrayDestroy
VariantClear
SysFreeString
SysAllocString

Exports

Exports

CfGetPlatformInfo

Sections

.text
Size: 128KB - Virtual size: 128KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 68B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

a5864330cc4bfd0882fb2f3679901037

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

kernel32

user32

shell32

ole32

oleaut32

Exports

Exports

Sections

.text Size: 128KB - Virtual size: 128KB

.rdata Size: 21KB - Virtual size: 20KB

.data Size: 12KB - Virtual size: 17KB

.pdata Size: 5KB - Virtual size: 5KB

.reloc Size: 512B - Virtual size: 68B

.text
Size: 128KB - Virtual size: 128KB

.rdata
Size: 21KB - Virtual size: 20KB

.data
Size: 12KB - Virtual size: 17KB

.pdata
Size: 5KB - Virtual size: 5KB

.reloc
Size: 512B - Virtual size: 68B