qakbot | a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5

Analysis

max time kernel
39s
max time network
110s
platform
windows10_x64
resource
win10v20210410
submitted
07-05-2021 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5.dll
Size

1.0MB
MD5

f8bedd553a00abdc81ae847d21e958a1
SHA1

1b5ac0acbba430c9e4ccad70a59eb2dedc9b0f5b
SHA256

a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5
SHA512

d0089483de35cda1b5fd0e498f7af2f3d471d08fd86cd7efb00df75e9a41fecaccfedfb34f048d69f2663062fd177e823c1213831ce22e0076506ed5eeb35b4e

Score

10^/10

qakbot domain02 1613028094 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

401.138

Botnet

domain02

Campaign

1613028094

32.210.98.6:443

70.49.88.199:2222

151.205.102.42:443

178.152.79.153:995

216.195.46.163:2222

72.252.201.69:443

90.65.236.181:2222

98.173.34.212:995

97.69.160.4:2222

69.245.102.225:443

144.139.166.18:443

73.25.124.140:2222

189.223.205.126:443

157.131.108.180:443

71.197.126.250:443

73.228.197.5:443

151.213.189.62:443

24.229.150.54:995

84.72.35.226:443

199.19.117.131:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2352 3464 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2352	3464	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2352 WerFault.exe
Token: SeBackupPrivilege 2352 WerFault.exe
Token: SeDebugPrivilege 2352 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	2352	WerFault.exe
Token: SeBackupPrivilege	2352	WerFault.exe
Token: SeDebugPrivilege	2352	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3896 wrote to memory of 3464	3896	rundll32.exe	rundll32.exe
PID 3896 wrote to memory of 3464	3896	rundll32.exe	rundll32.exe
PID 3896 wrote to memory of 3464	3896	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5.dll,#1
2⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 764
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3464-114-0x0000000000000000-mapping.dmp

Download
memory/3464-115-0x0000000000E20000-0x0000000000F27000-memory.dmp

Filesize
1.0MB

Download
memory/3464-116-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/3464-117-0x00000000049E0000-0x0000000004A40000-memory.dmp

Filesize
384KB

Download
memory/3464-118-0x0000000004A40000-0x0000000004A75000-memory.dmp

Filesize
212KB

Download