qakbot | 3984b1072731ae1a7e6f83b76e1fbbca09e0f2968d06087f2579e22edb56edc2

General

Target

894423f39835051eafd433c4d0f726f3db172520.dll
Size

2.0MB
MD5

b2a9a4e1656bdb5749de4f228dc9f307
SHA1

894423f39835051eafd433c4d0f726f3db172520
SHA256

3984b1072731ae1a7e6f83b76e1fbbca09e0f2968d06087f2579e22edb56edc2
SHA512

74b73e5afdb0ccf701a1d877e1381b1b7b6fa4a81a3b06e6021169ebb3ba936ec01c2b148aa3ee5c2344ae40c349edd0188dd85e2c874dc7f6adbc841e0768af

Score

10^/10

qakbot tr02 1607955641 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tr02

Campaign

1607955641

C2

120.151.95.167:443

47.44.217.98:443

32.212.117.188:443

184.97.145.239:443

86.121.3.80:443

83.110.97.149:443

83.194.193.247:2222

105.198.236.101:443

35.134.202.234:443

189.62.175.92:22

2.89.122.157:443

78.97.207.104:443

208.93.202.41:443

45.118.216.157:443

5.204.148.208:995

5.15.226.81:443

66.26.160.37:443

84.78.128.76:2222

80.106.85.24:2222

108.31.15.10:995

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1084 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1928 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1768 rundll32.exe
1768 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1768 rundll32.exe

pid	process
1084	regsvr32.exe

pid	process
1928	schtasks.exe

pid	process
1768	rundll32.exe
1768	rundll32.exe

pid	process
1768	rundll32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1432 wrote to memory of 1768	1432	rundll32.exe	rundll32.exe
PID 1432 wrote to memory of 1768	1432	rundll32.exe	rundll32.exe
PID 1432 wrote to memory of 1768	1432	rundll32.exe	rundll32.exe
PID 1432 wrote to memory of 1768	1432	rundll32.exe	rundll32.exe
PID 1432 wrote to memory of 1768	1432	rundll32.exe	rundll32.exe
PID 1432 wrote to memory of 1768	1432	rundll32.exe	rundll32.exe
PID 1432 wrote to memory of 1768	1432	rundll32.exe	rundll32.exe
PID 1768 wrote to memory of 1968	1768	rundll32.exe	explorer.exe
PID 1768 wrote to memory of 1968	1768	rundll32.exe	explorer.exe
PID 1768 wrote to memory of 1968	1768	rundll32.exe	explorer.exe
PID 1768 wrote to memory of 1968	1768	rundll32.exe	explorer.exe
PID 1768 wrote to memory of 1968	1768	rundll32.exe	explorer.exe
PID 1768 wrote to memory of 1968	1768	rundll32.exe	explorer.exe
PID 1968 wrote to memory of 1928	1968	explorer.exe	schtasks.exe
PID 1968 wrote to memory of 1928	1968	explorer.exe	schtasks.exe
PID 1968 wrote to memory of 1928	1968	explorer.exe	schtasks.exe
PID 1968 wrote to memory of 1928	1968	explorer.exe	schtasks.exe
PID 1176 wrote to memory of 1040	1176	taskeng.exe	regsvr32.exe
PID 1176 wrote to memory of 1040	1176	taskeng.exe	regsvr32.exe
PID 1176 wrote to memory of 1040	1176	taskeng.exe	regsvr32.exe
PID 1176 wrote to memory of 1040	1176	taskeng.exe	regsvr32.exe
PID 1176 wrote to memory of 1040	1176	taskeng.exe	regsvr32.exe
PID 1040 wrote to memory of 1084	1040	regsvr32.exe	regsvr32.exe
PID 1040 wrote to memory of 1084	1040	regsvr32.exe	regsvr32.exe
PID 1040 wrote to memory of 1084	1040	regsvr32.exe	regsvr32.exe
PID 1040 wrote to memory of 1084	1040	regsvr32.exe	regsvr32.exe
PID 1040 wrote to memory of 1084	1040	regsvr32.exe	regsvr32.exe
PID 1040 wrote to memory of 1084	1040	regsvr32.exe	regsvr32.exe
PID 1040 wrote to memory of 1084	1040	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\894423f39835051eafd433c4d0f726f3db172520.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\894423f39835051eafd433c4d0f726f3db172520.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn xtdtdflbr /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\894423f39835051eafd433c4d0f726f3db172520.dll\"" /SC ONCE /Z /ST 16:37 /ET 16:49
4⤵
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\taskeng.exe
taskeng.exe {90C43C14-E420-421B-8BBA-47B0C8E64E0F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\894423f39835051eafd433c4d0f726f3db172520.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\894423f39835051eafd433c4d0f726f3db172520.dll"
3⤵
- Loads dropped DLL
PID:1084

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\894423f39835051eafd433c4d0f726f3db172520.dll
MD5
cbbbd93f6d56beb2083844c7da7b2982

SHA1
9ad1c6566fc917f1161951eca89bcd2706b41b71

SHA256
08b593884c460b03404122a22a9029e3e5beb2103acc64d1be445856740ce0c5

SHA512
e067a11629634176182c76fc8c3ceb149f939d892110b4eff17bc3c8ce2652729deb6c0a384971906decb2ff1343554384b45461bf578d92bb19a53426873aa0

Download Submit
\Users\Admin\AppData\Local\Temp\894423f39835051eafd433c4d0f726f3db172520.dll
MD5
cbbbd93f6d56beb2083844c7da7b2982

SHA1
9ad1c6566fc917f1161951eca89bcd2706b41b71

SHA256
08b593884c460b03404122a22a9029e3e5beb2103acc64d1be445856740ce0c5

SHA512
e067a11629634176182c76fc8c3ceb149f939d892110b4eff17bc3c8ce2652729deb6c0a384971906decb2ff1343554384b45461bf578d92bb19a53426873aa0

Download Submit
memory/1040-9-0x0000000000000000-mapping.dmp

Download
memory/1084-11-0x0000000000000000-mapping.dmp

Download
memory/1768-2-0x0000000000000000-mapping.dmp

Download
memory/1768-4-0x00000000001F0000-0x0000000000211000-memory.dmp

Filesize
132KB

Download
memory/1768-6-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1928-7-0x0000000000000000-mapping.dmp

Download
memory/1968-3-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/1968-5-0x0000000000000000-mapping.dmp

Download
memory/1968-8-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads