qakbot | b6e629128e9316820cfd5bdfe4d621d5a7435717879d554567df31352fb8558e

Analysis

max time kernel
47s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28/10/2022, 13:30

Target

b6e629128e9316820cfd5bdfe4d621d5a7435717879d554567df31352fb8558e.dll
Size

157KB
MD5

258f4d970b7185375d31dc46a939a6ff
SHA1

bf33205fb9aa14345384245823ee11d84b538cfd
SHA256

b6e629128e9316820cfd5bdfe4d621d5a7435717879d554567df31352fb8558e
SHA512

c5b9a87fc1d6a21ff22e4d1e4dfd9174545e05f7e37d9a0c63e801a9f813f3b732c04b1b76d66da72e4cebaa47efcf697d0025a6e75284c582c5589a026cb9df
SSDEEP

3072:O040Uu4Yjm8j7qHllvH2AoJgSXRETBfNirskO/yaY/fT:p4YjTjGHnzoJhXRETBlirsP/g/

Score

10^/10

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 824	1268	regsvr32.exe	27
PID 1268 wrote to memory of 824	1268	regsvr32.exe	27
PID 1268 wrote to memory of 824	1268	regsvr32.exe	27
PID 1268 wrote to memory of 824	1268	regsvr32.exe	27
PID 1268 wrote to memory of 824	1268	regsvr32.exe	27
PID 1268 wrote to memory of 824	1268	regsvr32.exe	27
PID 1268 wrote to memory of 824	1268	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b6e629128e9316820cfd5bdfe4d621d5a7435717879d554567df31352fb8558e.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\b6e629128e9316820cfd5bdfe4d621d5a7435717879d554567df31352fb8558e.dll
  2⤵
  PID:824

memory/824-56-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/824-57-0x00000000001C0000-0x00000000001E9000-memory.dmp

Filesize
164KB

Download
memory/824-59-0x00000000001C0000-0x00000000001E9000-memory.dmp

Filesize
164KB

Download
memory/1268-54-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download