qakbot | 175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6

Analysis

max time kernel
31s
max time network
121s
platform
windows10_x64
resource
win10v20210410
submitted
07-05-2021 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6.dll
Size

963KB
MD5

16f84c82e6f0d47389f70d59d395778d
SHA1

2bc9c1965b0996d9f2e931f1a83dcf81ffd66876
SHA256

175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6
SHA512

78b6b58a857f54038daf1769ec52c23bd2fc5a4d79e3fa4dcd4df2c2a2bbc7a10f2d456a710f1b8ea1fdc67a666933204072e4f361c27101105de61e4efd751b

Score

10^/10

qakbot domain02 1613028094 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

401.138

Botnet

domain02

Campaign

1613028094

32.210.98.6:443

70.49.88.199:2222

151.205.102.42:443

178.152.79.153:995

216.195.46.163:2222

72.252.201.69:443

90.65.236.181:2222

98.173.34.212:995

97.69.160.4:2222

69.245.102.225:443

144.139.166.18:443

73.25.124.140:2222

189.223.205.126:443

157.131.108.180:443

71.197.126.250:443

73.228.197.5:443

151.213.189.62:443

24.229.150.54:995

84.72.35.226:443

199.19.117.131:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2348 4076 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2348	4076	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2348 WerFault.exe
Token: SeBackupPrivilege 2348 WerFault.exe
Token: SeDebugPrivilege 2348 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	2348	WerFault.exe
Token: SeBackupPrivilege	2348	WerFault.exe
Token: SeDebugPrivilege	2348	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3944 wrote to memory of 4076	3944	rundll32.exe	rundll32.exe
PID 3944 wrote to memory of 4076	3944	rundll32.exe	rundll32.exe
PID 3944 wrote to memory of 4076	3944	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6.dll,#1
2⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 736
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4076-114-0x0000000000000000-mapping.dmp

Download
memory/4076-115-0x00000000007D0000-0x00000000008C5000-memory.dmp

Filesize
980KB

Download
memory/4076-116-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/4076-117-0x0000000001050000-0x0000000001083000-memory.dmp

Filesize
204KB

Download
memory/4076-118-0x0000000004570000-0x00000000045A5000-memory.dmp

Filesize
212KB

Download