qakbot | 5094e17105845238a6a2aaf54cd6769733032009a9ddd24e8af046837c1c12e6

General

Target

md.dll
Size

2.8MB
MD5

04416cf8bf1c7d31a606edff765529df
SHA1

bb6abc451db164e17a5dd030b355b309c219623d
SHA256

5094e17105845238a6a2aaf54cd6769733032009a9ddd24e8af046837c1c12e6
SHA512

348e86e7efa139f90fe71b751d476aa0ea6e83cc0cc37f9d18b4d9ebc0d37a47bafc4d911a603457bd6d36b7ed323520b11df06edb69605c961c721037628317

Score

10^/10

qakbot domain02 1606721866 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

domain02

Campaign

1606721866

C2

106.51.52.111:443

2.88.53.159:995

89.33.87.107:443

185.105.131.233:443

175.137.119.141:443

197.161.154.132:443

39.32.125.15:995

217.133.54.140:32100

118.70.55.146:443

86.97.221.121:443

194.243.78.225:443

87.27.110.90:2222

196.151.252.84:443

5.15.30.56:443

85.121.42.12:443

90.23.117.67:2222

197.45.110.165:995

86.99.134.235:2222

59.96.165.120:443

174.76.21.134:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

308 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

316 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1876 rundll32.exe
1876 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1876 rundll32.exe

pid	process
308	regsvr32.exe

pid	process
316	schtasks.exe

pid	process
1876	rundll32.exe
1876	rundll32.exe

pid	process
1876	rundll32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1756 wrote to memory of 1876	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1876	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1876	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1876	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1876	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1876	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1876	1756	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1360	1876	rundll32.exe	explorer.exe
PID 1876 wrote to memory of 1360	1876	rundll32.exe	explorer.exe
PID 1876 wrote to memory of 1360	1876	rundll32.exe	explorer.exe
PID 1876 wrote to memory of 1360	1876	rundll32.exe	explorer.exe
PID 1876 wrote to memory of 1360	1876	rundll32.exe	explorer.exe
PID 1876 wrote to memory of 1360	1876	rundll32.exe	explorer.exe
PID 1360 wrote to memory of 316	1360	explorer.exe	schtasks.exe
PID 1360 wrote to memory of 316	1360	explorer.exe	schtasks.exe
PID 1360 wrote to memory of 316	1360	explorer.exe	schtasks.exe
PID 1360 wrote to memory of 316	1360	explorer.exe	schtasks.exe
PID 1752 wrote to memory of 940	1752	taskeng.exe	regsvr32.exe
PID 1752 wrote to memory of 940	1752	taskeng.exe	regsvr32.exe
PID 1752 wrote to memory of 940	1752	taskeng.exe	regsvr32.exe
PID 1752 wrote to memory of 940	1752	taskeng.exe	regsvr32.exe
PID 1752 wrote to memory of 940	1752	taskeng.exe	regsvr32.exe
PID 940 wrote to memory of 308	940	regsvr32.exe	regsvr32.exe
PID 940 wrote to memory of 308	940	regsvr32.exe	regsvr32.exe
PID 940 wrote to memory of 308	940	regsvr32.exe	regsvr32.exe
PID 940 wrote to memory of 308	940	regsvr32.exe	regsvr32.exe
PID 940 wrote to memory of 308	940	regsvr32.exe	regsvr32.exe
PID 940 wrote to memory of 308	940	regsvr32.exe	regsvr32.exe
PID 940 wrote to memory of 308	940	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\md.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\md.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn yuiosjoeef /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\md.dll\"" /SC ONCE /Z /ST 23:09 /ET 23:21
4⤵
- Creates scheduled task(s)
PID:316

C:\Windows\system32\taskeng.exe
taskeng.exe {32510ACF-93B4-46D5-9262-35DE36C4098F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\md.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\md.dll"
3⤵
- Loads dropped DLL
PID:308

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\md.dll
MD5
1a432a326b9f524ed074dc31c5fc69b2

SHA1
4a3b745cbe7a330e47899aae90572133692f2e89

SHA256
f7b3fcb472ea7e17b2506080df874fdf8a212a5a59485b628a3787c61348b2e1

SHA512
837da7d609c635b0a2b01b6377512f749d93a91860331ced46265b96a6c816233841a55f8bd0e0c0bf6ac28c814649b1f3fc91aa3420ae45dc3805a40e543c35

Download Submit
\Users\Admin\AppData\Local\Temp\md.dll
MD5
1a432a326b9f524ed074dc31c5fc69b2

SHA1
4a3b745cbe7a330e47899aae90572133692f2e89

SHA256
f7b3fcb472ea7e17b2506080df874fdf8a212a5a59485b628a3787c61348b2e1

SHA512
837da7d609c635b0a2b01b6377512f749d93a91860331ced46265b96a6c816233841a55f8bd0e0c0bf6ac28c814649b1f3fc91aa3420ae45dc3805a40e543c35

Download Submit
memory/308-11-0x0000000000000000-mapping.dmp

Download
memory/316-7-0x0000000000000000-mapping.dmp

Download
memory/940-9-0x0000000000000000-mapping.dmp

Download
memory/1360-3-0x00000000000A0000-0x00000000000A2000-memory.dmp

Filesize
8KB

Download
memory/1360-5-0x0000000000000000-mapping.dmp

Download
memory/1360-8-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1876-2-0x0000000000000000-mapping.dmp

Download
memory/1876-4-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/1876-6-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads