qakbot | 39012a1dc5ba702679b12a81d708f1d15d32be2f8c48746645e62e3fd4aa8d93

General

Target

SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll
Size

1.5MB
MD5

3b322b43ce402d24aa2e7740a4c1a228
SHA1

3d3b3e5f9ca28c17ce02bdea3e6b697749ade04d
SHA256

39012a1dc5ba702679b12a81d708f1d15d32be2f8c48746645e62e3fd4aa8d93
SHA512

330126a5648e3803a06b984197387339453545db16af7b95868d4a4ec45f6eb32bfeb133e9c880888d65ce7a28674153b929d20bb68a772976bb817664fb1969

Score

10^/10

qakbot abc119 1611224824 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

abc119

Campaign

1611224824

C2

106.51.52.111:443

83.110.12.140:2222

89.3.198.238:443

86.220.60.133:2222

45.77.115.208:8443

45.77.115.208:995

71.117.132.169:443

82.76.47.211:443

125.63.101.62:443

86.98.93.124:2078

178.152.70.12:995

78.97.207.104:443

77.27.174.49:995

173.70.165.101:995

64.121.114.87:443

188.24.128.253:443

89.137.211.239:995

80.227.5.70:443

81.97.154.100:443

98.121.187.78:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1308 regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1304 1308 WerFault.exe regsvr32.exe

pid	process
1308	regsvr32.exe

pid	pid_target	process	target process
1304	1308	WerFault.exe	regsvr32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	rundll32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3904 schtasks.exe

pid	process
3904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

rundll32.exeWerFault.exe

pid	process
1004	rundll32.exe
1004	rundll32.exe
1004	rundll32.exe
1004	rundll32.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1004 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1304 WerFault.exe
Token: SeBackupPrivilege 1304 WerFault.exe
Token: SeDebugPrivilege 1304 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1304	WerFault.exe
Token: SeBackupPrivilege	1304	WerFault.exe
Token: SeDebugPrivilege	1304	WerFault.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 508 wrote to memory of 1004	508	rundll32.exe	rundll32.exe
PID 508 wrote to memory of 1004	508	rundll32.exe	rundll32.exe
PID 508 wrote to memory of 1004	508	rundll32.exe	rundll32.exe
PID 1004 wrote to memory of 4012	1004	rundll32.exe	explorer.exe
PID 1004 wrote to memory of 4012	1004	rundll32.exe	explorer.exe
PID 1004 wrote to memory of 4012	1004	rundll32.exe	explorer.exe
PID 1004 wrote to memory of 4012	1004	rundll32.exe	explorer.exe
PID 1004 wrote to memory of 4012	1004	rundll32.exe	explorer.exe
PID 4012 wrote to memory of 3904	4012	explorer.exe	schtasks.exe
PID 4012 wrote to memory of 3904	4012	explorer.exe	schtasks.exe
PID 4012 wrote to memory of 3904	4012	explorer.exe	schtasks.exe
PID 2268 wrote to memory of 1308	2268	regsvr32.exe	regsvr32.exe
PID 2268 wrote to memory of 1308	2268	regsvr32.exe	regsvr32.exe
PID 2268 wrote to memory of 1308	2268	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll,#1
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn hxqbjimzvq /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll\"" /SC ONCE /Z /ST 09:18 /ET 09:30
4⤵
- Creates scheduled task(s)
PID:3904

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll"
2⤵
- Loads dropped DLL
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 596
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll
MD5
a5c332938346b2a5ac2796637df514b2

SHA1
e6087b42c9ee6591a094b1a3d036e16344d74903

SHA256
2707d26fd4137e118ef46a40f0694eb7be3889b9be5c85d22ac4abca664a54d8

SHA512
6730c79000876838c02801085a67545724bbc80448c843d050765972a7fbd3f24d27a3459ab9d0d249d9432e7d6dfb7faf195dc5e2303ae9bb5c17c0fae874e3

Download Submit
\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll
MD5
a5c332938346b2a5ac2796637df514b2

SHA1
e6087b42c9ee6591a094b1a3d036e16344d74903

SHA256
2707d26fd4137e118ef46a40f0694eb7be3889b9be5c85d22ac4abca664a54d8

SHA512
6730c79000876838c02801085a67545724bbc80448c843d050765972a7fbd3f24d27a3459ab9d0d249d9432e7d6dfb7faf195dc5e2303ae9bb5c17c0fae874e3

Download Submit
memory/1004-2-0x0000000000000000-mapping.dmp

Download
memory/1004-4-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/1004-3-0x0000000002C00000-0x0000000002C33000-memory.dmp

Filesize
204KB

Download
memory/1004-6-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/1304-13-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1308-11-0x0000000000000000-mapping.dmp

Download
memory/3904-7-0x0000000000000000-mapping.dmp

Download
memory/4012-5-0x0000000000000000-mapping.dmp

Download
memory/4012-8-0x0000000000550000-0x0000000000585000-memory.dmp

Filesize
212KB

Download
memory/4012-9-0x0000000000550000-0x0000000000585000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads