qakbot | e89ce5206b133790f9313989ebfbbd2eee1e4d9cee7c1dcfc1d0f895cda8662f

General

Target

e89ce5206b133790f9313989ebfbbd2eee1e4d9cee7c1dcfc1d0f895cda8662f.dll
Size

349KB
MD5

cd6461213b090d7c4eed79431d4a684f
SHA1

bda16ee8758cea58d83cf2b34efaf0fab6fc42a3
SHA256

e89ce5206b133790f9313989ebfbbd2eee1e4d9cee7c1dcfc1d0f895cda8662f
SHA512

81c8ee342401ea4b1eaa945f8557ecb95f81f91220dd8f110b510db2da7632aa3636a2fd72d3d1a70f213277070627ab8b0e624796b8ec0cc7aa2949fd31b7db

Score

10^/10

qakbot tr 1614598087 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tr

Campaign

1614598087

C2

24.95.61.62:443

89.3.198.238:443

196.151.252.84:443

90.65.236.181:2222

2.232.253.79:995

217.133.54.140:32100

195.43.173.70:443

84.247.55.190:8443

136.232.34.70:443

45.63.107.192:443

45.77.115.208:443

149.28.98.196:995

45.32.211.207:8443

149.28.98.196:443

149.28.99.97:443

45.63.107.192:2222

207.246.77.75:443

207.246.77.75:8443

45.77.117.108:443

45.32.211.207:995

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1564 regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3028 1564 WerFault.exe regsvr32.exe

pid	process
1564	regsvr32.exe

pid	pid_target	process	target process
3028	1564	WerFault.exe	regsvr32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	rundll32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4092 schtasks.exe

pid	process
4092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

rundll32.exeWerFault.exe

pid	process
652	rundll32.exe
652	rundll32.exe
652	rundll32.exe
652	rundll32.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

652 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3028 WerFault.exe
Token: SeBackupPrivilege 3028 WerFault.exe
Token: SeDebugPrivilege 3028 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	3028	WerFault.exe
Token: SeBackupPrivilege	3028	WerFault.exe
Token: SeDebugPrivilege	3028	WerFault.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 1400 wrote to memory of 652	1400	rundll32.exe	rundll32.exe
PID 1400 wrote to memory of 652	1400	rundll32.exe	rundll32.exe
PID 1400 wrote to memory of 652	1400	rundll32.exe	rundll32.exe
PID 652 wrote to memory of 692	652	rundll32.exe	explorer.exe
PID 652 wrote to memory of 692	652	rundll32.exe	explorer.exe
PID 652 wrote to memory of 692	652	rundll32.exe	explorer.exe
PID 652 wrote to memory of 692	652	rundll32.exe	explorer.exe
PID 652 wrote to memory of 692	652	rundll32.exe	explorer.exe
PID 692 wrote to memory of 4092	692	explorer.exe	schtasks.exe
PID 692 wrote to memory of 4092	692	explorer.exe	schtasks.exe
PID 692 wrote to memory of 4092	692	explorer.exe	schtasks.exe
PID 936 wrote to memory of 1564	936	regsvr32.exe	regsvr32.exe
PID 936 wrote to memory of 1564	936	regsvr32.exe	regsvr32.exe
PID 936 wrote to memory of 1564	936	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e89ce5206b133790f9313989ebfbbd2eee1e4d9cee7c1dcfc1d0f895cda8662f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e89ce5206b133790f9313989ebfbbd2eee1e4d9cee7c1dcfc1d0f895cda8662f.dll,#1
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn sabmixvxti /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\e89ce5206b133790f9313989ebfbbd2eee1e4d9cee7c1dcfc1d0f895cda8662f.dll\"" /SC ONCE /Z /ST 15:45 /ET 15:57
4⤵
- Creates scheduled task(s)
PID:4092

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\e89ce5206b133790f9313989ebfbbd2eee1e4d9cee7c1dcfc1d0f895cda8662f.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\e89ce5206b133790f9313989ebfbbd2eee1e4d9cee7c1dcfc1d0f895cda8662f.dll"
2⤵
- Loads dropped DLL
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 596
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e89ce5206b133790f9313989ebfbbd2eee1e4d9cee7c1dcfc1d0f895cda8662f.dll
MD5
a48a5b29ae8c4960912f2d0d8649e816

SHA1
2f0435e2b647a85b5287f25f2e44e343b63c25df

SHA256
45d55a4d11c654c7dacad8445b0ad2be33de165a68e9ecaffdec020a5615875c

SHA512
8ab6791d96683b323f8f1df5f3b64f838af1a546e6963288aa0eb9f05c1c30ef2364765cbf210550a1d2eb25158f2c874a23c9bbf232a90375cfd5d24ab4c8fe

Download Submit
\Users\Admin\AppData\Local\Temp\e89ce5206b133790f9313989ebfbbd2eee1e4d9cee7c1dcfc1d0f895cda8662f.dll
MD5
a48a5b29ae8c4960912f2d0d8649e816

SHA1
2f0435e2b647a85b5287f25f2e44e343b63c25df

SHA256
45d55a4d11c654c7dacad8445b0ad2be33de165a68e9ecaffdec020a5615875c

SHA512
8ab6791d96683b323f8f1df5f3b64f838af1a546e6963288aa0eb9f05c1c30ef2364765cbf210550a1d2eb25158f2c874a23c9bbf232a90375cfd5d24ab4c8fe

Download Submit
memory/652-2-0x0000000000000000-mapping.dmp

Download
memory/652-3-0x0000000004DB0000-0x000000000D005000-memory.dmp

Filesize
130.3MB

Download
memory/652-4-0x0000000010000000-0x0000000018255000-memory.dmp

Filesize
130.3MB

Download
memory/692-5-0x0000000000000000-mapping.dmp

Download
memory/692-7-0x00000000028C0000-0x00000000028F5000-memory.dmp

Filesize
212KB

Download
memory/692-8-0x00000000028C0000-0x00000000028F5000-memory.dmp

Filesize
212KB

Download
memory/1564-10-0x0000000000000000-mapping.dmp

Download
memory/3028-12-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/4092-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads