qakbot | 10afa9374deef0bc44fae6fc28be88c3999bb2410f07b7159dbd1882a94e9189

Resubmissions

14/10/2022, 19:38

14/10/2022, 18:36

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2022, 18:36

Target

uncited.dat.dll
Size

638KB
MD5

7f1fc752865619dbe870ab5630e901d6
SHA1

43878660e33f52f22ed1de323f2c426870174dd7
SHA256

10afa9374deef0bc44fae6fc28be88c3999bb2410f07b7159dbd1882a94e9189
SHA512

f085bcb6e666324e9f3f6cf0a9d3fe353fe4d100669512d66d1fc10abb9e9addb0c798fbbd8207f77daaea72fcd057bf22e710d14cfd97f4d24fdf7513b968c7
SSDEEP

12288:fa2sTwwDbozbuUijWQ2ieToMjavBxHuZXJMeGbX//IO:fBs1QuUijWHVUM+HOZXJM5T//I

Score

10^/10

Family

qakbot

Version

403.973

Botnet

BB02

Campaign

1665761649

211.47.11.62:33850

Attributes

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4812	2244	WerFault.exe	32

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2244	rundll32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 2244	4412	rundll32.exe	32
PID 4412 wrote to memory of 2244	4412	rundll32.exe	32
PID 4412 wrote to memory of 2244	4412	rundll32.exe	32
PID 2244 wrote to memory of 1928	2244	rundll32.exe	85
PID 2244 wrote to memory of 1928	2244	rundll32.exe	85
PID 2244 wrote to memory of 1928	2244	rundll32.exe	85
PID 2244 wrote to memory of 1928	2244	rundll32.exe	85
PID 2244 wrote to memory of 1928	2244	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\uncited.dat.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\uncited.dat.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 688
    3⤵
    - Program crash
    PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2244 -ip 2244
1⤵
PID:3040

memory/1928-137-0x0000000000FC0000-0x0000000000FE9000-memory.dmp

Filesize
164KB

Download
memory/2244-133-0x0000000002660000-0x0000000002689000-memory.dmp

Filesize
164KB

Download
memory/2244-134-0x0000000000C30000-0x0000000000C5A000-memory.dmp

Filesize
168KB

Download
memory/2244-135-0x0000000002660000-0x0000000002689000-memory.dmp

Filesize
164KB

Download
memory/2244-138-0x0000000002660000-0x0000000002689000-memory.dmp

Filesize
164KB

Download