qakbot | c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c

General

Target

c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c.dll
Size

2.2MB
MD5

61e8905be3070fa88942c3abdb300394
SHA1

d06b2db986cdf55b282c85381e03da2139ed6454
SHA256

c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c
SHA512

8442edc5aa6e7485bf35955c31ac1f5566afc76e9dfb6169f65cd7d4072945c241e8ec4889f55197080e51f3917f77d1cd1acb1c7085eb8de7d9f21781a6399a

Score

10^/10

qakbot tr02s 1608638923 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tr02s

Campaign

1608638923

C2

41.230.209.182:443

35.134.202.234:443

73.166.10.38:50010

172.87.157.235:3389

24.216.56.6:443

184.179.14.130:22

24.152.219.253:995

67.209.195.198:443

86.98.89.36:2222

47.146.169.85:443

197.135.60.192:443

90.201.21.58:443

81.214.126.173:2222

37.116.152.122:2078

64.225.166.16:2222

187.7.236.197:995

47.196.192.184:443

82.12.157.95:995

2.50.161.6:2222

83.110.213.49:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

928 regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1080 928 WerFault.exe regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4400 schtasks.exe

pid	process
928	regsvr32.exe

pid	pid_target	process	target process
1080	928	WerFault.exe	regsvr32.exe

pid	process
4400	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

rundll32.exeWerFault.exe

pid	process
4816	rundll32.exe
4816	rundll32.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

4816 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1080 WerFault.exe
Token: SeBackupPrivilege 1080 WerFault.exe
Token: SeDebugPrivilege 1080 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1080	WerFault.exe
Token: SeBackupPrivilege	1080	WerFault.exe
Token: SeDebugPrivilege	1080	WerFault.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 4756 wrote to memory of 4816	4756	rundll32.exe	rundll32.exe
PID 4756 wrote to memory of 4816	4756	rundll32.exe	rundll32.exe
PID 4756 wrote to memory of 4816	4756	rundll32.exe	rundll32.exe
PID 4816 wrote to memory of 4272	4816	rundll32.exe	explorer.exe
PID 4816 wrote to memory of 4272	4816	rundll32.exe	explorer.exe
PID 4816 wrote to memory of 4272	4816	rundll32.exe	explorer.exe
PID 4816 wrote to memory of 4272	4816	rundll32.exe	explorer.exe
PID 4816 wrote to memory of 4272	4816	rundll32.exe	explorer.exe
PID 4272 wrote to memory of 4400	4272	explorer.exe	schtasks.exe
PID 4272 wrote to memory of 4400	4272	explorer.exe	schtasks.exe
PID 4272 wrote to memory of 4400	4272	explorer.exe	schtasks.exe
PID 836 wrote to memory of 928	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 928	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 928	836	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn xiolwkcl /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c.dll\"" /SC ONCE /Z /ST 08:35 /ET 08:47
4⤵
- Creates scheduled task(s)
PID:4400

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c.dll"
2⤵
- Loads dropped DLL
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 596
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c.dll
MD5
a4903a395b91e77a92bfa23901f05627

SHA1
0333d6c6b1b91c84a23e81e0817f6aeb5d04360a

SHA256
85726a1d394466c39808046764eab14e3aa718bb8cc339a888d2da61470647ba

SHA512
6185d9e0379d38174a9f059e81ccd9f1ef53e131dbab82bbcbc600a6a5ee811c1bdcef035099b27ef70879acca79355886b88cecfc4860f20959b464c51ac237

Download Submit
\Users\Admin\AppData\Local\Temp\c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c.dll
MD5
a4903a395b91e77a92bfa23901f05627

SHA1
0333d6c6b1b91c84a23e81e0817f6aeb5d04360a

SHA256
85726a1d394466c39808046764eab14e3aa718bb8cc339a888d2da61470647ba

SHA512
6185d9e0379d38174a9f059e81ccd9f1ef53e131dbab82bbcbc600a6a5ee811c1bdcef035099b27ef70879acca79355886b88cecfc4860f20959b464c51ac237

Download Submit
memory/928-9-0x0000000000000000-mapping.dmp

Download
memory/928-13-0x0000000000000000-mapping.dmp

Download
memory/1080-11-0x0000000003B70000-0x0000000003B71000-memory.dmp

Filesize
4KB

Download
memory/1080-12-0x0000000003F70000-0x0000000003F71000-memory.dmp

Filesize
4KB

Download
memory/4272-4-0x0000000000000000-mapping.dmp

Download
memory/4272-7-0x0000000003170000-0x00000000031A5000-memory.dmp

Filesize
212KB

Download
memory/4400-6-0x0000000000000000-mapping.dmp

Download
memory/4816-2-0x0000000000000000-mapping.dmp

Download
memory/4816-3-0x0000000002BB0000-0x0000000002BE5000-memory.dmp

Filesize
212KB

Download
memory/4816-5-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads