qakbot | 39012a1dc5ba702679b12a81d708f1d15d32be2f8c48746645e62e3fd4aa8d93

General

Target

SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll
Size

1.5MB
MD5

3b322b43ce402d24aa2e7740a4c1a228
SHA1

3d3b3e5f9ca28c17ce02bdea3e6b697749ade04d
SHA256

39012a1dc5ba702679b12a81d708f1d15d32be2f8c48746645e62e3fd4aa8d93
SHA512

330126a5648e3803a06b984197387339453545db16af7b95868d4a4ec45f6eb32bfeb133e9c880888d65ce7a28674153b929d20bb68a772976bb817664fb1969

Score

10^/10

qakbot abc119 1611224824 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

abc119

Campaign

1611224824

C2

106.51.52.111:443

83.110.12.140:2222

89.3.198.238:443

86.220.60.133:2222

45.77.115.208:8443

45.77.115.208:995

71.117.132.169:443

82.76.47.211:443

125.63.101.62:443

86.98.93.124:2078

178.152.70.12:995

78.97.207.104:443

77.27.174.49:995

173.70.165.101:995

64.121.114.87:443

188.24.128.253:443

89.137.211.239:995

80.227.5.70:443

81.97.154.100:443

98.121.187.78:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

756 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1664 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1108 rundll32.exe
1108 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1108 rundll32.exe

pid	process
756	regsvr32.exe

pid	process
1664	schtasks.exe

pid	process
1108	rundll32.exe
1108	rundll32.exe

pid	process
1108	rundll32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1632 wrote to memory of 1108	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1108	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1108	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1108	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1108	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1108	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1108	1632	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1380	1108	rundll32.exe	explorer.exe
PID 1108 wrote to memory of 1380	1108	rundll32.exe	explorer.exe
PID 1108 wrote to memory of 1380	1108	rundll32.exe	explorer.exe
PID 1108 wrote to memory of 1380	1108	rundll32.exe	explorer.exe
PID 1108 wrote to memory of 1380	1108	rundll32.exe	explorer.exe
PID 1108 wrote to memory of 1380	1108	rundll32.exe	explorer.exe
PID 1380 wrote to memory of 1664	1380	explorer.exe	schtasks.exe
PID 1380 wrote to memory of 1664	1380	explorer.exe	schtasks.exe
PID 1380 wrote to memory of 1664	1380	explorer.exe	schtasks.exe
PID 1380 wrote to memory of 1664	1380	explorer.exe	schtasks.exe
PID 556 wrote to memory of 636	556	taskeng.exe	regsvr32.exe
PID 556 wrote to memory of 636	556	taskeng.exe	regsvr32.exe
PID 556 wrote to memory of 636	556	taskeng.exe	regsvr32.exe
PID 556 wrote to memory of 636	556	taskeng.exe	regsvr32.exe
PID 556 wrote to memory of 636	556	taskeng.exe	regsvr32.exe
PID 636 wrote to memory of 756	636	regsvr32.exe	regsvr32.exe
PID 636 wrote to memory of 756	636	regsvr32.exe	regsvr32.exe
PID 636 wrote to memory of 756	636	regsvr32.exe	regsvr32.exe
PID 636 wrote to memory of 756	636	regsvr32.exe	regsvr32.exe
PID 636 wrote to memory of 756	636	regsvr32.exe	regsvr32.exe
PID 636 wrote to memory of 756	636	regsvr32.exe	regsvr32.exe
PID 636 wrote to memory of 756	636	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dqxueymekd /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll\"" /SC ONCE /Z /ST 08:25 /ET 08:37
4⤵
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\taskeng.exe
taskeng.exe {07702D4A-B26B-429A-9207-452E16B9A8ED} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll"
3⤵
- Loads dropped DLL
PID:756

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll
MD5
a5c332938346b2a5ac2796637df514b2

SHA1
e6087b42c9ee6591a094b1a3d036e16344d74903

SHA256
2707d26fd4137e118ef46a40f0694eb7be3889b9be5c85d22ac4abca664a54d8

SHA512
6730c79000876838c02801085a67545724bbc80448c843d050765972a7fbd3f24d27a3459ab9d0d249d9432e7d6dfb7faf195dc5e2303ae9bb5c17c0fae874e3

Download Submit
\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll
MD5
a5c332938346b2a5ac2796637df514b2

SHA1
e6087b42c9ee6591a094b1a3d036e16344d74903

SHA256
2707d26fd4137e118ef46a40f0694eb7be3889b9be5c85d22ac4abca664a54d8

SHA512
6730c79000876838c02801085a67545724bbc80448c843d050765972a7fbd3f24d27a3459ab9d0d249d9432e7d6dfb7faf195dc5e2303ae9bb5c17c0fae874e3

Download Submit
memory/636-13-0x0000000000000000-mapping.dmp

Download
memory/636-14-0x000007FEFC1C1000-0x000007FEFC1C3000-memory.dmp

Filesize
8KB

Download
memory/756-16-0x0000000000000000-mapping.dmp

Download
memory/1108-9-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/1108-2-0x0000000000000000-mapping.dmp

Download
memory/1108-4-0x0000000000190000-0x00000000001C3000-memory.dmp

Filesize
204KB

Download
memory/1108-5-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/1108-3-0x0000000076341000-0x0000000076343000-memory.dmp

Filesize
8KB

Download
memory/1380-10-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/1380-12-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/1380-8-0x0000000075011000-0x0000000075013000-memory.dmp

Filesize
8KB

Download
memory/1380-6-0x0000000000000000-mapping.dmp

Download
memory/1664-11-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads