qakbot | cf065e980b8a901be9d0e1f52a50bcdc6c299850f4fb5b1ecfed6327a38c19b6

General

Target

cf065e980b8a901be9d0e1f52a50bcdc6c299850f4fb5b1ecfed6327a38c19b6.dll
Size

289KB
MD5

67ef5c7797e927b28bd49bdb72cca817
SHA1

d8cfb631d79c2c198dbd74345ae12b8d804dbfc3
SHA256

cf065e980b8a901be9d0e1f52a50bcdc6c299850f4fb5b1ecfed6327a38c19b6
SHA512

e3d528872dfd9b24185f319a6137184025a5d3d4917a40a06332d11bf1a671a6d95504078786322e57eb05dc7e08449f8661ba8a2496a172e1740d514e35eed5

Score

10^/10

qakbot abc104 1606818862 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

abc104

Campaign

1606818862

C2

79.119.124.237:443

87.218.53.206:2222

181.169.88.203:443

82.12.157.95:995

94.49.188.240:443

46.124.107.124:6881

86.122.248.164:2222

83.202.68.220:2222

79.129.216.215:2222

37.21.231.245:995

47.187.49.3:2222

2.90.33.130:443

149.28.98.196:995

149.28.99.97:443

45.63.107.192:995

149.28.98.196:2222

45.63.107.192:2222

74.73.27.35:443

149.28.98.196:443

144.202.38.185:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3700 regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2072 3700 WerFault.exe regsvr32.exe

pid	process
3700	regsvr32.exe

pid	pid_target	process	target process
2072	3700	WerFault.exe	regsvr32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	rundll32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

372 schtasks.exe

pid	process
372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

rundll32.exeWerFault.exe

pid	process
1448	rundll32.exe
1448	rundll32.exe
1448	rundll32.exe
1448	rundll32.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1448 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2072 WerFault.exe
Token: SeBackupPrivilege 2072 WerFault.exe
Token: SeDebugPrivilege 2072 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	2072	WerFault.exe
Token: SeBackupPrivilege	2072	WerFault.exe
Token: SeDebugPrivilege	2072	WerFault.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 1160 wrote to memory of 1448	1160	rundll32.exe	rundll32.exe
PID 1160 wrote to memory of 1448	1160	rundll32.exe	rundll32.exe
PID 1160 wrote to memory of 1448	1160	rundll32.exe	rundll32.exe
PID 1448 wrote to memory of 684	1448	rundll32.exe	explorer.exe
PID 1448 wrote to memory of 684	1448	rundll32.exe	explorer.exe
PID 1448 wrote to memory of 684	1448	rundll32.exe	explorer.exe
PID 1448 wrote to memory of 684	1448	rundll32.exe	explorer.exe
PID 1448 wrote to memory of 684	1448	rundll32.exe	explorer.exe
PID 684 wrote to memory of 372	684	explorer.exe	schtasks.exe
PID 684 wrote to memory of 372	684	explorer.exe	schtasks.exe
PID 684 wrote to memory of 372	684	explorer.exe	schtasks.exe
PID 3492 wrote to memory of 3700	3492	regsvr32.exe	regsvr32.exe
PID 3492 wrote to memory of 3700	3492	regsvr32.exe	regsvr32.exe
PID 3492 wrote to memory of 3700	3492	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf065e980b8a901be9d0e1f52a50bcdc6c299850f4fb5b1ecfed6327a38c19b6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf065e980b8a901be9d0e1f52a50bcdc6c299850f4fb5b1ecfed6327a38c19b6.dll,#1
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn koxiltqwb /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\cf065e980b8a901be9d0e1f52a50bcdc6c299850f4fb5b1ecfed6327a38c19b6.dll\"" /SC ONCE /Z /ST 16:16 /ET 16:28
4⤵
- Creates scheduled task(s)
PID:372

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\cf065e980b8a901be9d0e1f52a50bcdc6c299850f4fb5b1ecfed6327a38c19b6.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\cf065e980b8a901be9d0e1f52a50bcdc6c299850f4fb5b1ecfed6327a38c19b6.dll"
2⤵
- Loads dropped DLL
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 596
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cf065e980b8a901be9d0e1f52a50bcdc6c299850f4fb5b1ecfed6327a38c19b6.dll
MD5
2bf5d094d49fc849fdbcf58e580adb05

SHA1
3994a36a3c55998a9e16266792cc6bd85721b006

SHA256
0bc51a8278b4dc539d8c937d075ecba4c65d10b9a1006d912bb8ac7e357a5d60

SHA512
f422ba24a77c40a9033446b0b22876e0b5cd074d798274d762181306f31743a603a32edbadda57d913a7112fed73666fa62df4b6ddcdbc826cb897f81cfae73b

Download Submit
\Users\Admin\AppData\Local\Temp\cf065e980b8a901be9d0e1f52a50bcdc6c299850f4fb5b1ecfed6327a38c19b6.dll
MD5
2bf5d094d49fc849fdbcf58e580adb05

SHA1
3994a36a3c55998a9e16266792cc6bd85721b006

SHA256
0bc51a8278b4dc539d8c937d075ecba4c65d10b9a1006d912bb8ac7e357a5d60

SHA512
f422ba24a77c40a9033446b0b22876e0b5cd074d798274d762181306f31743a603a32edbadda57d913a7112fed73666fa62df4b6ddcdbc826cb897f81cfae73b

Download Submit
memory/372-5-0x0000000000000000-mapping.dmp

Download
memory/684-4-0x0000000000000000-mapping.dmp

Download
memory/684-6-0x00000000008A0000-0x00000000008C1000-memory.dmp

Filesize
132KB

Download
memory/1448-2-0x0000000000000000-mapping.dmp

Download
memory/1448-3-0x0000000003240000-0x0000000003261000-memory.dmp

Filesize
132KB

Download
memory/2072-10-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/3700-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads