qakbot | 03f712c3030fb4a4411425162df5ee361f7b7b7d3b853d57aec1aeae3bca5429

General

Target

03f712c3030fb4a4411425162df5ee361f7b7b7d3b853d57aec1aeae3bca5429.dll
Size

307KB
MD5

93dd26240487e270fc89cab981fef68b
SHA1

67d72eb632af612c29bbd5e7cbc7fa28e1eff0e1
SHA256

03f712c3030fb4a4411425162df5ee361f7b7b7d3b853d57aec1aeae3bca5429
SHA512

7b9ee97f18973799a8f47114b2417b9fe09ade5800bf5d531d34aa8fe93c303d7f260e8f378e20b0c917209405cdac3dfc79148b778a522a3b91fe94fd667d69

Score

10^/10

qakbot tr02 1607427512 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tr02

Campaign

1607427512

C2

73.32.115.251:443

161.199.180.159:443

185.163.221.77:2222

197.161.154.132:443

105.198.236.99:443

83.196.50.197:2222

96.225.88.23:443

156.222.27.207:995

81.214.126.173:2222

83.110.13.182:2222

85.121.42.12:443

67.82.244.199:2222

172.87.157.235:3389

86.176.133.145:2222

72.186.1.237:443

80.11.5.65:2222

94.59.236.155:995

81.150.181.168:2222

184.98.97.227:995

149.28.101.90:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

184 800 WerFault.exe regsvr32.exe

pid	pid_target	process	target process
184	800	WerFault.exe	regsvr32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4008 schtasks.exe

pid	process
4008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

regsvr32.exeWerFault.exe

pid	process
800	regsvr32.exe
800	regsvr32.exe
800	regsvr32.exe
800	regsvr32.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

800 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 184 WerFault.exe
Token: SeBackupPrivilege 184 WerFault.exe
Token: SeDebugPrivilege 184 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	184	WerFault.exe
Token: SeBackupPrivilege	184	WerFault.exe
Token: SeDebugPrivilege	184	WerFault.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 3564 wrote to memory of 800	3564	regsvr32.exe	regsvr32.exe
PID 3564 wrote to memory of 800	3564	regsvr32.exe	regsvr32.exe
PID 3564 wrote to memory of 800	3564	regsvr32.exe	regsvr32.exe
PID 800 wrote to memory of 3264	800	regsvr32.exe	explorer.exe
PID 800 wrote to memory of 3264	800	regsvr32.exe	explorer.exe
PID 800 wrote to memory of 3264	800	regsvr32.exe	explorer.exe
PID 800 wrote to memory of 3264	800	regsvr32.exe	explorer.exe
PID 800 wrote to memory of 3264	800	regsvr32.exe	explorer.exe
PID 3264 wrote to memory of 4008	3264	explorer.exe	schtasks.exe
PID 3264 wrote to memory of 4008	3264	explorer.exe	schtasks.exe
PID 3264 wrote to memory of 4008	3264	explorer.exe	schtasks.exe
PID 2156 wrote to memory of 1620	2156	regsvr32.exe	regsvr32.exe
PID 2156 wrote to memory of 1620	2156	regsvr32.exe	regsvr32.exe
PID 2156 wrote to memory of 1620	2156	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\03f712c3030fb4a4411425162df5ee361f7b7b7d3b853d57aec1aeae3bca5429.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\03f712c3030fb4a4411425162df5ee361f7b7b7d3b853d57aec1aeae3bca5429.dll
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn odvaklg /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\03f712c3030fb4a4411425162df5ee361f7b7b7d3b853d57aec1aeae3bca5429.dll\"" /SC ONCE /Z /ST 16:16 /ET 16:28
4⤵
- Creates scheduled task(s)
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 888
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:184

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\03f712c3030fb4a4411425162df5ee361f7b7b7d3b853d57aec1aeae3bca5429.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\03f712c3030fb4a4411425162df5ee361f7b7b7d3b853d57aec1aeae3bca5429.dll"
2⤵
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\03f712c3030fb4a4411425162df5ee361f7b7b7d3b853d57aec1aeae3bca5429.dll
MD5
361a03bdd3dd4411eb26b7303f68ea06

SHA1
a6d60e8f91adafa254553b1e274adcda6d993c71

SHA256
9245ab1976ed9f983e86318f25a113c536113d821c6b0f1ad39c84e2d49e331f

SHA512
7592109b613d083c497d8c85433b22ebe9d67bdd9fa6d65fb098ef4012eee675e5c47a8c250ffbfc5cda244dee94710257916f82c60b41f1cbcbf679baa3e97e

Download Submit
memory/184-7-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/800-2-0x0000000000000000-mapping.dmp

Download
memory/800-3-0x0000000004D60000-0x0000000004D81000-memory.dmp

Filesize
132KB

Download
memory/1620-9-0x0000000000000000-mapping.dmp

Download
memory/3264-4-0x0000000000000000-mapping.dmp

Download
memory/3264-6-0x0000000001040000-0x0000000001061000-memory.dmp

Filesize
132KB

Download
memory/4008-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads