qakbot | 165e8bde726ef15f416f059e15dcf069cae30dfa3f10928409abe78a187430fb

General

Target

44252636284259300000.dat.dll
Size

367KB
MD5

5d9ef3a16d1cf9a758a9e94f6ba70dbf
SHA1

199f42a515222e8a55893ba147138951bfcc1fca
SHA256

165e8bde726ef15f416f059e15dcf069cae30dfa3f10928409abe78a187430fb
SHA512

838717a13828926742f7ac57d0a64b1b82e40b5e483081ee07a8c6c97802c919eadb66a200ab59295a1a861d6e53d4987bc56a9ec2d0b192ec5663ff7ae6078b

Score

10^/10

qakbot obama07 1614243368 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

obama07

Campaign

1614243368

C2

71.163.223.159:443

87.202.87.210:2222

98.192.185.86:443

78.180.179.136:443

115.133.243.6:443

140.82.49.12:443

2.7.116.188:2222

83.110.11.244:2222

187.250.39.162:443

213.60.147.140:443

188.26.91.212:443

86.236.77.68:2222

172.87.157.235:3389

79.115.174.55:443

113.22.175.141:443

217.133.54.140:32100

83.110.109.106:2222

176.181.247.197:443

59.90.246.200:443

173.21.10.71:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1320 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1236 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1456 regsvr32.exe
1456 regsvr32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

1456 regsvr32.exe

pid	process
1320	regsvr32.exe

pid	process
1236	schtasks.exe

pid	process
1456	regsvr32.exe
1456	regsvr32.exe

pid	process
1456	regsvr32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1432 wrote to memory of 1456	1432	regsvr32.exe	regsvr32.exe
PID 1432 wrote to memory of 1456	1432	regsvr32.exe	regsvr32.exe
PID 1432 wrote to memory of 1456	1432	regsvr32.exe	regsvr32.exe
PID 1432 wrote to memory of 1456	1432	regsvr32.exe	regsvr32.exe
PID 1432 wrote to memory of 1456	1432	regsvr32.exe	regsvr32.exe
PID 1432 wrote to memory of 1456	1432	regsvr32.exe	regsvr32.exe
PID 1432 wrote to memory of 1456	1432	regsvr32.exe	regsvr32.exe
PID 1456 wrote to memory of 1940	1456	regsvr32.exe	explorer.exe
PID 1456 wrote to memory of 1940	1456	regsvr32.exe	explorer.exe
PID 1456 wrote to memory of 1940	1456	regsvr32.exe	explorer.exe
PID 1456 wrote to memory of 1940	1456	regsvr32.exe	explorer.exe
PID 1456 wrote to memory of 1940	1456	regsvr32.exe	explorer.exe
PID 1456 wrote to memory of 1940	1456	regsvr32.exe	explorer.exe
PID 1940 wrote to memory of 1236	1940	explorer.exe	schtasks.exe
PID 1940 wrote to memory of 1236	1940	explorer.exe	schtasks.exe
PID 1940 wrote to memory of 1236	1940	explorer.exe	schtasks.exe
PID 1940 wrote to memory of 1236	1940	explorer.exe	schtasks.exe
PID 816 wrote to memory of 1168	816	taskeng.exe	regsvr32.exe
PID 816 wrote to memory of 1168	816	taskeng.exe	regsvr32.exe
PID 816 wrote to memory of 1168	816	taskeng.exe	regsvr32.exe
PID 816 wrote to memory of 1168	816	taskeng.exe	regsvr32.exe
PID 816 wrote to memory of 1168	816	taskeng.exe	regsvr32.exe
PID 1168 wrote to memory of 1320	1168	regsvr32.exe	regsvr32.exe
PID 1168 wrote to memory of 1320	1168	regsvr32.exe	regsvr32.exe
PID 1168 wrote to memory of 1320	1168	regsvr32.exe	regsvr32.exe
PID 1168 wrote to memory of 1320	1168	regsvr32.exe	regsvr32.exe
PID 1168 wrote to memory of 1320	1168	regsvr32.exe	regsvr32.exe
PID 1168 wrote to memory of 1320	1168	regsvr32.exe	regsvr32.exe
PID 1168 wrote to memory of 1320	1168	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\44252636284259300000.dat.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\44252636284259300000.dat.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dkvnsvgb /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\44252636284259300000.dat.dll\"" /SC ONCE /Z /ST 18:45 /ET 18:57
4⤵
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\taskeng.exe
taskeng.exe {9FD6AA7D-FD0A-4AA5-864F-E1840B2F5857} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\44252636284259300000.dat.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\44252636284259300000.dat.dll"
3⤵
- Loads dropped DLL
PID:1320

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44252636284259300000.dat.dll
MD5
75fba4986eb91149e31a1beb53f75cdc

SHA1
593b86cf459fbfcd7df85dbdaf1f64128a556959

SHA256
1db292792ccf895f56e22019ea630f8b8f202e066bf371545b1ed321956efd87

SHA512
71214ef7f3158db9ab7d743ea585edb3dce6f66c9a6aed82661f26ddacecd41b5bb3806d56fcb9dc48d1f2c2e8c9b28cd23af5b085feeeaa8d0cfeb8b3cfd20c

Download Submit
\Users\Admin\AppData\Local\Temp\44252636284259300000.dat.dll
MD5
75fba4986eb91149e31a1beb53f75cdc

SHA1
593b86cf459fbfcd7df85dbdaf1f64128a556959

SHA256
1db292792ccf895f56e22019ea630f8b8f202e066bf371545b1ed321956efd87

SHA512
71214ef7f3158db9ab7d743ea585edb3dce6f66c9a6aed82661f26ddacecd41b5bb3806d56fcb9dc48d1f2c2e8c9b28cd23af5b085feeeaa8d0cfeb8b3cfd20c

Download Submit
memory/1168-13-0x0000000000000000-mapping.dmp

Download
memory/1236-11-0x0000000000000000-mapping.dmp

Download
memory/1320-16-0x0000000000000000-mapping.dmp

Download
memory/1432-2-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

Filesize
8KB

Download
memory/1456-3-0x0000000000000000-mapping.dmp

Download
memory/1456-4-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/1456-5-0x0000000002210000-0x000000000A6E7000-memory.dmp

Filesize
132.8MB

Download
memory/1456-6-0x0000000010000000-0x00000000184D7000-memory.dmp

Filesize
132.8MB

Download
memory/1940-9-0x00000000743D1000-0x00000000743D3000-memory.dmp

Filesize
8KB

Download
memory/1940-12-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/1940-10-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/1940-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads