qakbot | 154bb70ce4102c04094ec6076d61fcdbb53bdb01e8e401fbeeab42e667cc7778 | Triage

Analysis

max time kernel
29s
max time network
113s
platform
windows10_x64
resource
win10v20210408
submitted
05-05-2021 13:33

Sharing

Report Analysis Logs

General

Target

70fea7d5e2aee066022e34afd14fe251.dll
Size

1.4MB
MD5

70fea7d5e2aee066022e34afd14fe251
SHA1

f129ba34313f97f973d1ed7df6df69e383428d5c
SHA256

154bb70ce4102c04094ec6076d61fcdbb53bdb01e8e401fbeeab42e667cc7778
SHA512

84b0994895ed695838a800e6b991cdd0357cb7ba159f47daa8846482902cea07d50653d7ae525e9b291b457f193f59ab05ae55c9bd26367413a44591572306fc

Score

10^/10

qakbot banker stealer trojan

Malware Config

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 784 wrote to memory of 408	784	rundll32.exe	rundll32.exe
PID 784 wrote to memory of 408	784	rundll32.exe	rundll32.exe
PID 784 wrote to memory of 408	784	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\70fea7d5e2aee066022e34afd14fe251.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\70fea7d5e2aee066022e34afd14fe251.dll,#1
2⤵
PID:408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/408-114-0x0000000000000000-mapping.dmp

Download
memory/408-115-0x0000000003FF0000-0x000000000415C000-memory.dmp

Filesize
1.4MB

Download
memory/408-116-0x0000000000540000-0x000000000068A000-memory.dmp

Filesize
1.3MB

Download
memory/408-117-0x00000000042A0000-0x00000000042CD000-memory.dmp

Filesize
180KB

Download