qakbot | 3984b1072731ae1a7e6f83b76e1fbbca09e0f2968d06087f2579e22edb56edc2

General

Target

894423f39835051eafd433c4d0f726f3db172520.dll
Size

2.0MB
MD5

b2a9a4e1656bdb5749de4f228dc9f307
SHA1

894423f39835051eafd433c4d0f726f3db172520
SHA256

3984b1072731ae1a7e6f83b76e1fbbca09e0f2968d06087f2579e22edb56edc2
SHA512

74b73e5afdb0ccf701a1d877e1381b1b7b6fa4a81a3b06e6021169ebb3ba936ec01c2b148aa3ee5c2344ae40c349edd0188dd85e2c874dc7f6adbc841e0768af

Score

10^/10

qakbot tr02 1607955641 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tr02

Campaign

1607955641

C2

120.151.95.167:443

47.44.217.98:443

32.212.117.188:443

184.97.145.239:443

86.121.3.80:443

83.110.97.149:443

83.194.193.247:2222

105.198.236.101:443

35.134.202.234:443

189.62.175.92:22

2.89.122.157:443

78.97.207.104:443

208.93.202.41:443

45.118.216.157:443

5.204.148.208:995

5.15.226.81:443

66.26.160.37:443

84.78.128.76:2222

80.106.85.24:2222

108.31.15.10:995

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1368 regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1556 1368 WerFault.exe regsvr32.exe

pid	process
1368	regsvr32.exe

pid	pid_target	process	target process
1556	1368	WerFault.exe	regsvr32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	rundll32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1524 schtasks.exe

pid	process
1524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

rundll32.exeWerFault.exe

pid	process
3980	rundll32.exe
3980	rundll32.exe
3980	rundll32.exe
3980	rundll32.exe
1556	WerFault.exe
1556	WerFault.exe
1556	WerFault.exe
1556	WerFault.exe
1556	WerFault.exe
1556	WerFault.exe
1556	WerFault.exe
1556	WerFault.exe
1556	WerFault.exe
1556	WerFault.exe
1556	WerFault.exe
1556	WerFault.exe
1556	WerFault.exe
1556	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

3980 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1556 WerFault.exe
Token: SeBackupPrivilege 1556 WerFault.exe
Token: SeDebugPrivilege 1556 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1556	WerFault.exe
Token: SeBackupPrivilege	1556	WerFault.exe
Token: SeDebugPrivilege	1556	WerFault.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 1048 wrote to memory of 3980	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 3980	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 3980	1048	rundll32.exe	rundll32.exe
PID 3980 wrote to memory of 1044	3980	rundll32.exe	explorer.exe
PID 3980 wrote to memory of 1044	3980	rundll32.exe	explorer.exe
PID 3980 wrote to memory of 1044	3980	rundll32.exe	explorer.exe
PID 3980 wrote to memory of 1044	3980	rundll32.exe	explorer.exe
PID 3980 wrote to memory of 1044	3980	rundll32.exe	explorer.exe
PID 1044 wrote to memory of 1524	1044	explorer.exe	schtasks.exe
PID 1044 wrote to memory of 1524	1044	explorer.exe	schtasks.exe
PID 1044 wrote to memory of 1524	1044	explorer.exe	schtasks.exe
PID 3928 wrote to memory of 1368	3928	regsvr32.exe	regsvr32.exe
PID 3928 wrote to memory of 1368	3928	regsvr32.exe	regsvr32.exe
PID 3928 wrote to memory of 1368	3928	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\894423f39835051eafd433c4d0f726f3db172520.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\894423f39835051eafd433c4d0f726f3db172520.dll,#1
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn bcozmwmhbb /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\894423f39835051eafd433c4d0f726f3db172520.dll\"" /SC ONCE /Z /ST 17:44 /ET 17:56
4⤵
- Creates scheduled task(s)
PID:1524

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\894423f39835051eafd433c4d0f726f3db172520.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\894423f39835051eafd433c4d0f726f3db172520.dll"
2⤵
- Loads dropped DLL
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 596
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\894423f39835051eafd433c4d0f726f3db172520.dll
MD5
cbbbd93f6d56beb2083844c7da7b2982

SHA1
9ad1c6566fc917f1161951eca89bcd2706b41b71

SHA256
08b593884c460b03404122a22a9029e3e5beb2103acc64d1be445856740ce0c5

SHA512
e067a11629634176182c76fc8c3ceb149f939d892110b4eff17bc3c8ce2652729deb6c0a384971906decb2ff1343554384b45461bf578d92bb19a53426873aa0

Download Submit
\Users\Admin\AppData\Local\Temp\894423f39835051eafd433c4d0f726f3db172520.dll
MD5
cbbbd93f6d56beb2083844c7da7b2982

SHA1
9ad1c6566fc917f1161951eca89bcd2706b41b71

SHA256
08b593884c460b03404122a22a9029e3e5beb2103acc64d1be445856740ce0c5

SHA512
e067a11629634176182c76fc8c3ceb149f939d892110b4eff17bc3c8ce2652729deb6c0a384971906decb2ff1343554384b45461bf578d92bb19a53426873aa0

Download Submit
memory/1044-4-0x0000000000000000-mapping.dmp

Download
memory/1044-7-0x0000000003090000-0x00000000030B1000-memory.dmp

Filesize
132KB

Download
memory/1368-9-0x0000000000000000-mapping.dmp

Download
memory/1368-12-0x0000000000000000-mapping.dmp

Download
memory/1524-6-0x0000000000000000-mapping.dmp

Download
memory/1556-11-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/1556-13-0x00000000039A0000-0x00000000039A1000-memory.dmp

Filesize
4KB

Download
memory/3980-2-0x0000000000000000-mapping.dmp

Download
memory/3980-3-0x0000000002D70000-0x0000000002D91000-memory.dmp

Filesize
132KB

Download
memory/3980-5-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads