qakbot | cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80 | Triage

Analysis

max time kernel
34s
max time network
112s
platform
windows10_x64
resource
win10v20210410
submitted
07-05-2021 10:08

Sharing

Report Analysis Logs

General

Target

cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80.dll
Size

909KB
MD5

ee0a11ed10588b6c7c35b6a36f0998da
SHA1

21e0eb33704b6dcf2e1899d90d6600a5db60e864
SHA256

cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80
SHA512

e5319309a939ab8be761b94247e8f196a315f0e8bf66d1e31a94bde2f853dbc5143a2a2906ba0c0f2ef6f652e761de8befb78f545e6ea59aae9222e87fb4ec20

Score

10^/10

qakbot banker stealer trojan

Malware Config

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

940 3196 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
940	WerFault.exe
940	WerFault.exe
940	WerFault.exe
940	WerFault.exe
940	WerFault.exe
940	WerFault.exe
940	WerFault.exe
940	WerFault.exe
940	WerFault.exe
940	WerFault.exe
940	WerFault.exe
940	WerFault.exe
940	WerFault.exe
940	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 940 WerFault.exe
Token: SeBackupPrivilege 940 WerFault.exe
Token: SeDebugPrivilege 940 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3724 wrote to memory of 3196	3724	rundll32.exe	rundll32.exe
PID 3724 wrote to memory of 3196	3724	rundll32.exe	rundll32.exe
PID 3724 wrote to memory of 3196	3724	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80.dll,#1
2⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 768
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3196-114-0x0000000000000000-mapping.dmp

Download
memory/3196-115-0x0000000003240000-0x00000000032A7000-memory.dmp

Filesize
412KB

Download
memory/3196-116-0x00000000032C0000-0x00000000032F4000-memory.dmp

Filesize
208KB

Download
memory/3196-117-0x0000000003320000-0x000000000346A000-memory.dmp

Filesize
1.3MB

Download