Overview

overview

10

Static

static

qak.dll

windows7_x64

10

qak.dll

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    20-04-2021 09:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    qak.dll

  • Size

    724KB

  • MD5

    fd2bfb40411f1a921026a84e8352c242

  • SHA1

    3de9e0966b1c48bcaf65ee81148b533c57a2c943

  • SHA256

    5b419f5101f112f896c7985936eb331fad6716f7f2ea3a493bfd040390c31463

  • SHA512

    8d4ee8a0f9220e56168aaab1e12b1f980dba6e2a9add33459d02aca9aae161378de1ae8206c3d431207f7f0405071c001cd2a5c2e9579f33800c1cdbc52b9db0

Score
10/10
qakbotbankerstealertrojan

Malware Config

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\qak.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1040
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\qak.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2172
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 708
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2172-114-0x0000000000000000-mapping.dmp
    Download
  • memory/2172-115-0x0000000002C00000-0x0000000002D4A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2172-116-0x0000000002C00000-0x0000000002D4A000-memory.dmp
    Filesize

    1.3MB

    Download