qakbot | 8f51c35eb0afafd2d29a2b68d1db0d700422d6dbc16ac2ff915e24eb8fb288bc

Analysis

max time kernel
149s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
14/10/2022, 19:05

Target

pimpled.dat.dll
Size

638KB
MD5

19f11dfb3c7baec741a805a702ffd34e
SHA1

81844f0c82ec87a62746f4225f7b0110cafd68a8
SHA256

8f51c35eb0afafd2d29a2b68d1db0d700422d6dbc16ac2ff915e24eb8fb288bc
SHA512

f27e87774edca87f3f72e9ae9eeac9511f252873200d1efe546597f657b22e2809506af3a0281f040efbf752779ea7615df151f6d1c4538b892b37d9152fb68f
SSDEEP

12288:fa2sTwwDbozbuUijWQ2ieToMjavBAHuZXJMeGbX//IO:fBs1QuUijWHVUM++OZXJM5T//I

Score

10^/10

Family

qakbot

Version

403.973

Botnet

BB02

Campaign

1665761649

211.47.11.62:33850

Attributes

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1808	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1808	1324	rundll32.exe	27
PID 1324 wrote to memory of 1808	1324	rundll32.exe	27
PID 1324 wrote to memory of 1808	1324	rundll32.exe	27
PID 1324 wrote to memory of 1808	1324	rundll32.exe	27
PID 1324 wrote to memory of 1808	1324	rundll32.exe	27
PID 1324 wrote to memory of 1808	1324	rundll32.exe	27
PID 1324 wrote to memory of 1808	1324	rundll32.exe	27
PID 1808 wrote to memory of 1972	1808	rundll32.exe	28
PID 1808 wrote to memory of 1972	1808	rundll32.exe	28
PID 1808 wrote to memory of 1972	1808	rundll32.exe	28
PID 1808 wrote to memory of 1972	1808	rundll32.exe	28
PID 1808 wrote to memory of 1972	1808	rundll32.exe	28
PID 1808 wrote to memory of 1972	1808	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\pimpled.dat.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\pimpled.dat.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1972

memory/1808-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1808-56-0x0000000000620000-0x00000000006C4000-memory.dmp

Filesize
656KB

Download
memory/1808-57-0x00000000006D0000-0x00000000006F9000-memory.dmp

Filesize
164KB

Download
memory/1808-58-0x00000000006D0000-0x00000000006F9000-memory.dmp

Filesize
164KB

Download
memory/1808-59-0x00000000006D0000-0x00000000006F9000-memory.dmp

Filesize
164KB

Download
memory/1808-60-0x0000000000310000-0x000000000033A000-memory.dmp

Filesize
168KB

Download
memory/1808-61-0x00000000006D0000-0x00000000006F9000-memory.dmp

Filesize
164KB

Download
memory/1808-64-0x00000000006D0000-0x00000000006F9000-memory.dmp

Filesize
164KB

Download
memory/1972-65-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1972-66-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download