qakbot | 11d92a8bbd12d0f4634904ccc0037f58e99ab9d71e8341930a25564b3f2dec78

General

Target

11d92a8bbd12d0f4634904ccc0037f58e99ab9d71e8341930a25564b3f2dec78.bin.dll
Size

707KB
MD5

4eef064479e814f52fbb93e443e61841
SHA1

a687b1b13593aed25a7e51264a8980b9c8f1469e
SHA256

11d92a8bbd12d0f4634904ccc0037f58e99ab9d71e8341930a25564b3f2dec78
SHA512

20a3974bca03814f89a502af8f66447b7836d244e073a81454b1432dc4b280ae62f99e91d01d30c2451f69f0d3913af6409c747b112889edd8191f8c29d04673

Score

10^/10

qakbot abc115 1608200390 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

abc115

Campaign

1608200390

C2

95.76.27.6:443

35.139.242.207:443

93.86.1.159:995

190.30.186.43:443

151.60.38.21:443

5.2.212.254:443

39.36.112.67:995

78.63.226.32:443

68.131.19.52:443

86.121.43.200:443

47.44.217.98:443

5.204.148.208:995

2.91.235.94:443

217.133.54.140:32100

86.121.3.80:443

82.76.47.211:443

5.193.148.126:2078

109.205.204.229:2222

82.12.157.95:995

45.77.115.208:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

952 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1660 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

912 regsvr32.exe
912 regsvr32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

912 regsvr32.exe

pid	process
952	regsvr32.exe

pid	process
1660	schtasks.exe

pid	process
912	regsvr32.exe
912	regsvr32.exe

pid	process
912	regsvr32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1744 wrote to memory of 912	1744	regsvr32.exe	regsvr32.exe
PID 1744 wrote to memory of 912	1744	regsvr32.exe	regsvr32.exe
PID 1744 wrote to memory of 912	1744	regsvr32.exe	regsvr32.exe
PID 1744 wrote to memory of 912	1744	regsvr32.exe	regsvr32.exe
PID 1744 wrote to memory of 912	1744	regsvr32.exe	regsvr32.exe
PID 1744 wrote to memory of 912	1744	regsvr32.exe	regsvr32.exe
PID 1744 wrote to memory of 912	1744	regsvr32.exe	regsvr32.exe
PID 912 wrote to memory of 920	912	regsvr32.exe	explorer.exe
PID 912 wrote to memory of 920	912	regsvr32.exe	explorer.exe
PID 912 wrote to memory of 920	912	regsvr32.exe	explorer.exe
PID 912 wrote to memory of 920	912	regsvr32.exe	explorer.exe
PID 912 wrote to memory of 920	912	regsvr32.exe	explorer.exe
PID 912 wrote to memory of 920	912	regsvr32.exe	explorer.exe
PID 920 wrote to memory of 1660	920	explorer.exe	schtasks.exe
PID 920 wrote to memory of 1660	920	explorer.exe	schtasks.exe
PID 920 wrote to memory of 1660	920	explorer.exe	schtasks.exe
PID 920 wrote to memory of 1660	920	explorer.exe	schtasks.exe
PID 1216 wrote to memory of 848	1216	taskeng.exe	regsvr32.exe
PID 1216 wrote to memory of 848	1216	taskeng.exe	regsvr32.exe
PID 1216 wrote to memory of 848	1216	taskeng.exe	regsvr32.exe
PID 1216 wrote to memory of 848	1216	taskeng.exe	regsvr32.exe
PID 1216 wrote to memory of 848	1216	taskeng.exe	regsvr32.exe
PID 848 wrote to memory of 952	848	regsvr32.exe	regsvr32.exe
PID 848 wrote to memory of 952	848	regsvr32.exe	regsvr32.exe
PID 848 wrote to memory of 952	848	regsvr32.exe	regsvr32.exe
PID 848 wrote to memory of 952	848	regsvr32.exe	regsvr32.exe
PID 848 wrote to memory of 952	848	regsvr32.exe	regsvr32.exe
PID 848 wrote to memory of 952	848	regsvr32.exe	regsvr32.exe
PID 848 wrote to memory of 952	848	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\11d92a8bbd12d0f4634904ccc0037f58e99ab9d71e8341930a25564b3f2dec78.bin.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\11d92a8bbd12d0f4634904ccc0037f58e99ab9d71e8341930a25564b3f2dec78.bin.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn yxrpccu /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\11d92a8bbd12d0f4634904ccc0037f58e99ab9d71e8341930a25564b3f2dec78.bin.dll\"" /SC ONCE /Z /ST 08:59 /ET 09:11
4⤵
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\taskeng.exe
taskeng.exe {5D311F18-D70E-42E9-8E2A-16BA81045A21} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\11d92a8bbd12d0f4634904ccc0037f58e99ab9d71e8341930a25564b3f2dec78.bin.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\11d92a8bbd12d0f4634904ccc0037f58e99ab9d71e8341930a25564b3f2dec78.bin.dll"
3⤵
- Loads dropped DLL
PID:952

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11d92a8bbd12d0f4634904ccc0037f58e99ab9d71e8341930a25564b3f2dec78.bin.dll
MD5
6afcf128aa55ca59de6e93ab6a381fab

SHA1
eb13f53f14eafb0ebf57c16c45fd0f9dbeb64939

SHA256
7642c329c81f90e50540b3dce43b870b8b5bfd202428b01a94d39eb9b3256787

SHA512
01fd8a754bba9aaee740c494c69d905eb163f126fdffe528c21fc98255f806abc19b7693dc9ee2b4aea4f5e16310d22ad6e045211275dda8015a4a7c06a7d644

Download Submit
\Users\Admin\AppData\Local\Temp\11d92a8bbd12d0f4634904ccc0037f58e99ab9d71e8341930a25564b3f2dec78.bin.dll
MD5
6afcf128aa55ca59de6e93ab6a381fab

SHA1
eb13f53f14eafb0ebf57c16c45fd0f9dbeb64939

SHA256
7642c329c81f90e50540b3dce43b870b8b5bfd202428b01a94d39eb9b3256787

SHA512
01fd8a754bba9aaee740c494c69d905eb163f126fdffe528c21fc98255f806abc19b7693dc9ee2b4aea4f5e16310d22ad6e045211275dda8015a4a7c06a7d644

Download Submit
memory/848-8-0x0000000000000000-mapping.dmp

Download
memory/912-2-0x0000000000000000-mapping.dmp

Download
memory/912-4-0x0000000000150000-0x0000000000185000-memory.dmp

Filesize
212KB

Download
memory/920-3-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/920-5-0x0000000000000000-mapping.dmp

Download
memory/920-7-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/952-10-0x0000000000000000-mapping.dmp

Download
memory/1660-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads