qakbot | 9c03fd876f1e5625e3dff0434d1185d624ab1203fa081c40ca2ebdb04aac27b5

General

Target

9c03fd876f1e5625e3dff0434d1185d624ab1203fa081c40ca2ebdb04aac27b5.dll
Size

617KB
MD5

5e3749f332a005fadc0667375f8c6d19
SHA1

9271eb55dfe65239f20c6d6ac0f313a5f4fd54ff
SHA256

9c03fd876f1e5625e3dff0434d1185d624ab1203fa081c40ca2ebdb04aac27b5
SHA512

ffcd6a8ce211ffa5175e066657490649d585ca8ec7b0606d92a34041740ef3d48b262cda9f960e41e4ccd3b32a48d3fbbdd519c68365c9b6fc5e778e8c1c04ef

Score

10^/10

qakbot tr 1612175155 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tr

Campaign

1612175155

C2

89.3.198.238:443

172.78.30.215:443

85.52.72.32:2222

76.110.113.71:995

106.51.52.111:443

75.67.192.125:443

172.115.177.204:2222

197.45.110.165:995

82.76.47.211:443

45.77.115.208:443

45.32.211.207:443

144.202.38.185:443

207.246.116.237:995

149.28.101.90:995

149.28.101.90:8443

207.246.116.237:8443

144.202.38.185:2222

45.32.211.207:8443

149.28.101.90:443

149.28.101.90:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1276 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

792 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1176 regsvr32.exe
1176 regsvr32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

1176 regsvr32.exe

pid	process
1276	regsvr32.exe

pid	process
792	schtasks.exe

pid	process
1176	regsvr32.exe
1176	regsvr32.exe

pid	process
1176	regsvr32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1968 wrote to memory of 1176	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 1176	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 1176	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 1176	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 1176	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 1176	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 1176	1968	regsvr32.exe	regsvr32.exe
PID 1176 wrote to memory of 1644	1176	regsvr32.exe	explorer.exe
PID 1176 wrote to memory of 1644	1176	regsvr32.exe	explorer.exe
PID 1176 wrote to memory of 1644	1176	regsvr32.exe	explorer.exe
PID 1176 wrote to memory of 1644	1176	regsvr32.exe	explorer.exe
PID 1176 wrote to memory of 1644	1176	regsvr32.exe	explorer.exe
PID 1176 wrote to memory of 1644	1176	regsvr32.exe	explorer.exe
PID 1644 wrote to memory of 792	1644	explorer.exe	schtasks.exe
PID 1644 wrote to memory of 792	1644	explorer.exe	schtasks.exe
PID 1644 wrote to memory of 792	1644	explorer.exe	schtasks.exe
PID 1644 wrote to memory of 792	1644	explorer.exe	schtasks.exe
PID 524 wrote to memory of 296	524	taskeng.exe	regsvr32.exe
PID 524 wrote to memory of 296	524	taskeng.exe	regsvr32.exe
PID 524 wrote to memory of 296	524	taskeng.exe	regsvr32.exe
PID 524 wrote to memory of 296	524	taskeng.exe	regsvr32.exe
PID 524 wrote to memory of 296	524	taskeng.exe	regsvr32.exe
PID 296 wrote to memory of 1276	296	regsvr32.exe	regsvr32.exe
PID 296 wrote to memory of 1276	296	regsvr32.exe	regsvr32.exe
PID 296 wrote to memory of 1276	296	regsvr32.exe	regsvr32.exe
PID 296 wrote to memory of 1276	296	regsvr32.exe	regsvr32.exe
PID 296 wrote to memory of 1276	296	regsvr32.exe	regsvr32.exe
PID 296 wrote to memory of 1276	296	regsvr32.exe	regsvr32.exe
PID 296 wrote to memory of 1276	296	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9c03fd876f1e5625e3dff0434d1185d624ab1203fa081c40ca2ebdb04aac27b5.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\9c03fd876f1e5625e3dff0434d1185d624ab1203fa081c40ca2ebdb04aac27b5.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn bjlpeqxz /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\9c03fd876f1e5625e3dff0434d1185d624ab1203fa081c40ca2ebdb04aac27b5.dll\"" /SC ONCE /Z /ST 20:14 /ET 20:26
4⤵
- Creates scheduled task(s)
PID:792

C:\Windows\system32\taskeng.exe
taskeng.exe {75EC3533-B40A-404C-A782-C9AA24E866F1} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\9c03fd876f1e5625e3dff0434d1185d624ab1203fa081c40ca2ebdb04aac27b5.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\9c03fd876f1e5625e3dff0434d1185d624ab1203fa081c40ca2ebdb04aac27b5.dll"
3⤵
- Loads dropped DLL
PID:1276

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9c03fd876f1e5625e3dff0434d1185d624ab1203fa081c40ca2ebdb04aac27b5.dll
MD5
d48813a8c5758d4e5ed270919580ff2a

SHA1
552a2c79f109cedc9d3963217e327a4ab3ac141a

SHA256
7c9b82666e1db49005a121f6799be9cb072d5ebba2bfa44effd18e74815a50be

SHA512
8501171a69166b1d8b490a4e02efc8696d9dc8543f1e538280689820a38a272aebd1b0f0260fc29adfec5682ddba60ba38287d302d902d8f11d82bebcd754d53

Download Submit
\Users\Admin\AppData\Local\Temp\9c03fd876f1e5625e3dff0434d1185d624ab1203fa081c40ca2ebdb04aac27b5.dll
MD5
d48813a8c5758d4e5ed270919580ff2a

SHA1
552a2c79f109cedc9d3963217e327a4ab3ac141a

SHA256
7c9b82666e1db49005a121f6799be9cb072d5ebba2bfa44effd18e74815a50be

SHA512
8501171a69166b1d8b490a4e02efc8696d9dc8543f1e538280689820a38a272aebd1b0f0260fc29adfec5682ddba60ba38287d302d902d8f11d82bebcd754d53

Download Submit
memory/296-15-0x0000000000000000-mapping.dmp

Download
memory/792-13-0x0000000000000000-mapping.dmp

Download
memory/1176-6-0x0000000001E80000-0x0000000001F22000-memory.dmp

Filesize
648KB

Download
memory/1176-7-0x0000000001FB0000-0x0000000001FE4000-memory.dmp

Filesize
208KB

Download
memory/1176-8-0x0000000001E80000-0x0000000001EB5000-memory.dmp

Filesize
212KB

Download
memory/1176-5-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/1176-4-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1176-3-0x0000000000000000-mapping.dmp

Download
memory/1276-18-0x0000000000000000-mapping.dmp

Download
memory/1644-9-0x0000000000000000-mapping.dmp

Download
memory/1644-11-0x0000000073181000-0x0000000073183000-memory.dmp

Filesize
8KB

Download
memory/1644-12-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/1644-14-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/1968-2-0x000007FEFB831000-0x000007FEFB833000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads