qakbot | 8f51c35eb0afafd2d29a2b68d1db0d700422d6dbc16ac2ff915e24eb8fb288bc | Triage

Analysis

max time kernel
91s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2022, 19:05

Sharing

Report Analysis Logs

General

Target

pimpled.dat.dll
Size

638KB
MD5

19f11dfb3c7baec741a805a702ffd34e
SHA1

81844f0c82ec87a62746f4225f7b0110cafd68a8
SHA256

8f51c35eb0afafd2d29a2b68d1db0d700422d6dbc16ac2ff915e24eb8fb288bc
SHA512

f27e87774edca87f3f72e9ae9eeac9511f252873200d1efe546597f657b22e2809506af3a0281f040efbf752779ea7615df151f6d1c4538b892b37d9152fb68f
SSDEEP

12288:fa2sTwwDbozbuUijWQ2ieToMjavBAHuZXJMeGbX//IO:fBs1QuUijWHVUM++OZXJM5T//I

Score

10^/10

qakbot bb02 1665761649 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.973

Botnet

BB02

Campaign

1665761649

C2

211.47.11.62:33850

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4796	1116	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1116	rundll32.exe
1116	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 1116	744	rundll32.exe	83
PID 744 wrote to memory of 1116	744	rundll32.exe	83
PID 744 wrote to memory of 1116	744	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\pimpled.dat.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\pimpled.dat.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 668
    3⤵
    - Program crash
    PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1116 -ip 1116
1⤵
PID:4880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-133-0x00000000030C0000-0x00000000030E9000-memory.dmp

Filesize
164KB

Download
memory/1116-134-0x0000000002C20000-0x0000000002C4A000-memory.dmp

Filesize
168KB

Download
memory/1116-135-0x00000000030C0000-0x00000000030E9000-memory.dmp

Filesize
164KB

Download