qakbot | 48a79cc89ec1002be655b5727c420d7a00fcdd044e0dea12e371af8804d1233f | Triage

Analysis

max time kernel
40s
max time network
134s
platform
windows10_x64
resource
win10v20210408
submitted
01-05-2021 14:53

Sharing

Report Analysis Logs

General

Target

8e4c0c3730667bf8dfb8c0ee23fbe8bb.dll
Size

632KB
MD5

8e4c0c3730667bf8dfb8c0ee23fbe8bb
SHA1

da344c94f80cfa5448782b1d5f52cd91bb59c49f
SHA256

48a79cc89ec1002be655b5727c420d7a00fcdd044e0dea12e371af8804d1233f
SHA512

a61d3e57b9805d4b4926de80c07442be494417bc1d444290654fa9d0bca551c00dde3f09dc1700ac124b604cb39192c307423eb81ddec75b17ba5b7cefbc7897

Score

10^/10

qakbot banker stealer trojan

Malware Config

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3264 4768 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

rundll32.exeWerFault.exe

pid	process
4768	rundll32.exe
4768	rundll32.exe
3264	WerFault.exe
3264	WerFault.exe
3264	WerFault.exe
3264	WerFault.exe
3264	WerFault.exe
3264	WerFault.exe
3264	WerFault.exe
3264	WerFault.exe
3264	WerFault.exe
3264	WerFault.exe
3264	WerFault.exe
3264	WerFault.exe
3264	WerFault.exe
3264	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3264 WerFault.exe
Token: SeBackupPrivilege 3264 WerFault.exe
Token: SeDebugPrivilege 3264 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4656 wrote to memory of 4768	4656	rundll32.exe	rundll32.exe
PID 4656 wrote to memory of 4768	4656	rundll32.exe	rundll32.exe
PID 4656 wrote to memory of 4768	4656	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8e4c0c3730667bf8dfb8c0ee23fbe8bb.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8e4c0c3730667bf8dfb8c0ee23fbe8bb.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 704
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3264

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4768-114-0x0000000000000000-mapping.dmp

Download
memory/4768-115-0x0000000004840000-0x0000000004882000-memory.dmp

Filesize
264KB

Download
memory/4768-116-0x0000000002CF0000-0x0000000002E3A000-memory.dmp

Filesize
1.3MB

Download