qakbot | c647127d36b14ff3c88b96bb216fef124410cce193f1a3d03a2c2b45c4ff2813

General

Target

SecuriteInfo.com.Variant.Razy.831269.4861.22218.dll
Size

1.5MB
MD5

6397caa1b720f2cf7dcc9221d7f62452
SHA1

2fc9a4fb8746305213c9044a4b9a0ebb81aac23d
SHA256

c647127d36b14ff3c88b96bb216fef124410cce193f1a3d03a2c2b45c4ff2813
SHA512

5849b74999794d72d09be93581d98b355d63d49ea8c8a57e6e5dcb4e52472d3f4f0f0c63480ab70e490ef89c50904858b25f78fe0d22af218d5776d57ddb3959

Score

10^/10

qakbot abc119 1611224824 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

abc119

Campaign

1611224824

C2

106.51.52.111:443

83.110.12.140:2222

89.3.198.238:443

86.220.60.133:2222

45.77.115.208:8443

45.77.115.208:995

71.117.132.169:443

82.76.47.211:443

125.63.101.62:443

86.98.93.124:2078

178.152.70.12:995

78.97.207.104:443

77.27.174.49:995

173.70.165.101:995

64.121.114.87:443

188.24.128.253:443

89.137.211.239:995

80.227.5.70:443

81.97.154.100:443

98.121.187.78:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1648 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

608 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1844 rundll32.exe
1844 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1844 rundll32.exe

pid	process
1648	regsvr32.exe

pid	process
608	schtasks.exe

pid	process
1844	rundll32.exe
1844	rundll32.exe

pid	process
1844	rundll32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 776 wrote to memory of 1844	776	rundll32.exe	rundll32.exe
PID 776 wrote to memory of 1844	776	rundll32.exe	rundll32.exe
PID 776 wrote to memory of 1844	776	rundll32.exe	rundll32.exe
PID 776 wrote to memory of 1844	776	rundll32.exe	rundll32.exe
PID 776 wrote to memory of 1844	776	rundll32.exe	rundll32.exe
PID 776 wrote to memory of 1844	776	rundll32.exe	rundll32.exe
PID 776 wrote to memory of 1844	776	rundll32.exe	rundll32.exe
PID 1844 wrote to memory of 1240	1844	rundll32.exe	explorer.exe
PID 1844 wrote to memory of 1240	1844	rundll32.exe	explorer.exe
PID 1844 wrote to memory of 1240	1844	rundll32.exe	explorer.exe
PID 1844 wrote to memory of 1240	1844	rundll32.exe	explorer.exe
PID 1844 wrote to memory of 1240	1844	rundll32.exe	explorer.exe
PID 1844 wrote to memory of 1240	1844	rundll32.exe	explorer.exe
PID 1240 wrote to memory of 608	1240	explorer.exe	schtasks.exe
PID 1240 wrote to memory of 608	1240	explorer.exe	schtasks.exe
PID 1240 wrote to memory of 608	1240	explorer.exe	schtasks.exe
PID 1240 wrote to memory of 608	1240	explorer.exe	schtasks.exe
PID 732 wrote to memory of 1512	732	taskeng.exe	regsvr32.exe
PID 732 wrote to memory of 1512	732	taskeng.exe	regsvr32.exe
PID 732 wrote to memory of 1512	732	taskeng.exe	regsvr32.exe
PID 732 wrote to memory of 1512	732	taskeng.exe	regsvr32.exe
PID 732 wrote to memory of 1512	732	taskeng.exe	regsvr32.exe
PID 1512 wrote to memory of 1648	1512	regsvr32.exe	regsvr32.exe
PID 1512 wrote to memory of 1648	1512	regsvr32.exe	regsvr32.exe
PID 1512 wrote to memory of 1648	1512	regsvr32.exe	regsvr32.exe
PID 1512 wrote to memory of 1648	1512	regsvr32.exe	regsvr32.exe
PID 1512 wrote to memory of 1648	1512	regsvr32.exe	regsvr32.exe
PID 1512 wrote to memory of 1648	1512	regsvr32.exe	regsvr32.exe
PID 1512 wrote to memory of 1648	1512	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.4861.22218.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.4861.22218.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn reqolbkj /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.4861.22218.dll\"" /SC ONCE /Z /ST 04:59 /ET 05:11
4⤵
- Creates scheduled task(s)
PID:608

C:\Windows\system32\taskeng.exe
taskeng.exe {7D63C0B4-2EE4-49C2-A22B-99F58E76BB2E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.4861.22218.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.4861.22218.dll"
3⤵
- Loads dropped DLL
PID:1648

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.4861.22218.dll
MD5
a3a457a469d4311f12c27731efe4dd03

SHA1
c91c2c604ef6186b18bf61c78ae570b4f430cfdd

SHA256
7692ed290c060d69683a8fe649c495da278b9f0c7ace7e62dd2b4fc57f6a2b1a

SHA512
cd5de6f3d52bcd469ea0ca95b94c74d7b8ca303593c3fd36dabbe11586db31d2275f8f92fea2538da8f5532c1464203c1288b0b07f1836085535f2cee2bde1a4

Download Submit
\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.4861.22218.dll
MD5
a3a457a469d4311f12c27731efe4dd03

SHA1
c91c2c604ef6186b18bf61c78ae570b4f430cfdd

SHA256
7692ed290c060d69683a8fe649c495da278b9f0c7ace7e62dd2b4fc57f6a2b1a

SHA512
cd5de6f3d52bcd469ea0ca95b94c74d7b8ca303593c3fd36dabbe11586db31d2275f8f92fea2538da8f5532c1464203c1288b0b07f1836085535f2cee2bde1a4

Download Submit
memory/608-10-0x0000000000000000-mapping.dmp

Download
memory/1240-6-0x0000000000000000-mapping.dmp

Download
memory/1240-8-0x00000000747E1000-0x00000000747E3000-memory.dmp

Filesize
8KB

Download
memory/1240-11-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/1240-12-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/1512-13-0x0000000000000000-mapping.dmp

Download
memory/1512-14-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/1648-16-0x0000000000000000-mapping.dmp

Download
memory/1844-4-0x0000000000120000-0x0000000000153000-memory.dmp

Filesize
204KB

Download
memory/1844-9-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/1844-2-0x0000000000000000-mapping.dmp

Download
memory/1844-5-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/1844-3-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads