qakbot | 3622f351a8f8f92162c87de3a0abeb4ef9b51968fd6fb3ac1b7b73aea10acb48

Analysis

max time kernel
85s
max time network
87s
platform
windows10_x64
resource
win10v20210408
submitted
30-09-2021 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3622f351a8f8f92162c87de3a0abeb4ef9b51968fd6fb3ac1b7b73aea10acb48.dll
Size

885KB
MD5

979d8fb51f2c6e1c65fec4d0418bc473
SHA1

0b210966844c2cd707e2e27d463fcd5698568ac6
SHA256

3622f351a8f8f92162c87de3a0abeb4ef9b51968fd6fb3ac1b7b73aea10acb48
SHA512

d5d71a70a1e91f4ac8f3a3a936b96a0da4976ad823784fd89c15c4460630d02252b7a493e43abd1356f18d0f9118b486611bac256458ff79f19afa207a622a88

Score

10^/10

qakbot tr 1632730751 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

Campaign

1632730751

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3984 624 WerFault.exe rundll32.exe

pid	pid_target	process	target process
3984	624	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

rundll32.exeWerFault.exe

pid	process
624	rundll32.exe
624	rundll32.exe
3984	WerFault.exe
3984	WerFault.exe
3984	WerFault.exe
3984	WerFault.exe
3984	WerFault.exe
3984	WerFault.exe
3984	WerFault.exe
3984	WerFault.exe
3984	WerFault.exe
3984	WerFault.exe
3984	WerFault.exe
3984	WerFault.exe
3984	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3984 WerFault.exe
Token: SeBackupPrivilege 3984 WerFault.exe
Token: SeDebugPrivilege 3984 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	3984	WerFault.exe
Token: SeBackupPrivilege	3984	WerFault.exe
Token: SeDebugPrivilege	3984	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 532 wrote to memory of 624	532	rundll32.exe	rundll32.exe
PID 532 wrote to memory of 624	532	rundll32.exe	rundll32.exe
PID 532 wrote to memory of 624	532	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3622f351a8f8f92162c87de3a0abeb4ef9b51968fd6fb3ac1b7b73aea10acb48.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3622f351a8f8f92162c87de3a0abeb4ef9b51968fd6fb3ac1b7b73aea10acb48.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 736
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/624-114-0x0000000000000000-mapping.dmp

Download
memory/624-115-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/624-116-0x00000000035D0000-0x00000000035F5000-memory.dmp

Filesize
148KB

Download
memory/624-117-0x00000000053C0000-0x00000000053E1000-memory.dmp

Filesize
132KB

Download