qakbot | 3b4d7f8036918c75267ca13980ac17419652c12d968336013808b04151b47455 | Triage

Analysis

max time kernel
11s
max time network
119s
platform
windows10_x64
resource
win10v20210410
submitted
16-06-2021 14:43

Sharing

Report Analysis Logs

General

Target

de9aac78d73718b4cb88e046cfdd8113.dll
Size

893KB
MD5

de9aac78d73718b4cb88e046cfdd8113
SHA1

fddc61687e4a8e94a6ca9581979ece4aa7c08f08
SHA256

3b4d7f8036918c75267ca13980ac17419652c12d968336013808b04151b47455
SHA512

5abfb50760a0f5c180c50e185df70ecfafc00fb4ce300959f2e048897409a83f76a60f63f1c7250ef550a720cb9881600bec7da79e03b78c4316d10bbbfca3eb

Score

10^/10

qakbot banker stealer trojan

Malware Config

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1400 736 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

rundll32.exeWerFault.exe

pid	process
736	rundll32.exe
736	rundll32.exe
1400	WerFault.exe
1400	WerFault.exe
1400	WerFault.exe
1400	WerFault.exe
1400	WerFault.exe
1400	WerFault.exe
1400	WerFault.exe
1400	WerFault.exe
1400	WerFault.exe
1400	WerFault.exe
1400	WerFault.exe
1400	WerFault.exe
1400	WerFault.exe
1400	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1400 WerFault.exe
Token: SeBackupPrivilege 1400 WerFault.exe
Token: SeDebugPrivilege 1400 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3380 wrote to memory of 736	3380	rundll32.exe	rundll32.exe
PID 3380 wrote to memory of 736	3380	rundll32.exe	rundll32.exe
PID 3380 wrote to memory of 736	3380	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\de9aac78d73718b4cb88e046cfdd8113.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\de9aac78d73718b4cb88e046cfdd8113.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 716
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/736-114-0x0000000000000000-mapping.dmp

Download
memory/736-115-0x00000000048C0000-0x00000000048F0000-memory.dmp

Filesize
192KB

Download
memory/736-116-0x0000000004940000-0x000000000496F000-memory.dmp

Filesize
188KB

Download