qakbot | a3eb42abc461cd5cc26bc87a8e7c93ec1eaa46b40c15a55b94b7c76b48cf0b0a

Analysis

max time kernel
115s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-02-2024 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3eb42abc461cd5cc26bc87a8e7c93ec1eaa46b40c15a55b94b7c76b48cf0b0a.dll
Size

1.1MB
MD5

cf300cd47a865824c2f8705aebae6eee
SHA1

a064a0ee077e465f14f435676ff794ecc80f08c6
SHA256

a3eb42abc461cd5cc26bc87a8e7c93ec1eaa46b40c15a55b94b7c76b48cf0b0a
SHA512

36f0f12637cedd0ca15ec37ac41cb1415dc190d67d94693c49178e751b1db7f79f0ca400ee6fd4d8d31296d8773958cf077d295232647c62512a14f80b322402
SSDEEP

24576:UmfEXFuca6UFUqybkX0YuSw7zMYQ0a4lFb2:UmMu6+UfYXXuSoWx+

Score

10^/10

qakbot obama181 1651246804 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.573

Botnet

obama181

Campaign

1651246804

47.23.89.62:995

2.34.12.8:443

38.70.253.226:2222

47.23.89.62:993

75.99.168.194:443

41.228.22.180:443

140.82.49.12:443

148.64.96.100:443

108.60.213.141:443

2.50.4.57:443

187.208.137.144:443

187.207.47.198:61202

187.250.114.15:443

86.132.13.91:2078

149.135.101.20:443

67.209.195.198:443

187.172.170.129:443

190.252.242.69:443

174.69.215.101:443

75.99.168.194:61201

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5116 3364 WerFault.exe rundll32.exe

pid	pid_target	process	target process
5116	3364	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2748 wrote to memory of 3364	2748	rundll32.exe	rundll32.exe
PID 2748 wrote to memory of 3364	2748	rundll32.exe	rundll32.exe
PID 2748 wrote to memory of 3364	2748	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a3eb42abc461cd5cc26bc87a8e7c93ec1eaa46b40c15a55b94b7c76b48cf0b0a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a3eb42abc461cd5cc26bc87a8e7c93ec1eaa46b40c15a55b94b7c76b48cf0b0a.dll,#1
2⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 668
3⤵
- Program crash
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3364 -ip 3364
1⤵
PID:3752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4100 --field-trial-handle=3044,i,17059189006398306756,4247826696353232857,262144 --variations-seed-version /prefetch:8
1⤵
PID:3772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3364-0-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/3364-1-0x0000000003340000-0x00000000033CA000-memory.dmp

Filesize
552KB

Download
memory/3364-2-0x0000000003460000-0x00000000034EF000-memory.dmp

Filesize
572KB

Download
memory/3364-3-0x0000000003460000-0x00000000034EF000-memory.dmp

Filesize
572KB

Download
memory/3364-5-0x0000000003460000-0x00000000034EF000-memory.dmp

Filesize
572KB

Download
memory/3364-6-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/3364-7-0x0000000003340000-0x00000000033CA000-memory.dmp

Filesize
552KB

Download