qakbot | cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80

General

Target

cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80.dll
Size

909KB
MD5

ee0a11ed10588b6c7c35b6a36f0998da
SHA1

21e0eb33704b6dcf2e1899d90d6600a5db60e864
SHA256

cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80
SHA512

e5319309a939ab8be761b94247e8f196a315f0e8bf66d1e31a94bde2f853dbc5143a2a2906ba0c0f2ef6f652e761de8befb78f545e6ea59aae9222e87fb4ec20

Score

10^/10

qakbot domain02 1613028094 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

401.138

Botnet

domain02

Campaign

1613028094

C2

32.210.98.6:443

70.49.88.199:2222

151.205.102.42:443

178.152.79.153:995

216.195.46.163:2222

72.252.201.69:443

90.65.236.181:2222

98.173.34.212:995

97.69.160.4:2222

69.245.102.225:443

144.139.166.18:443

73.25.124.140:2222

189.223.205.126:443

157.131.108.180:443

71.197.126.250:443

73.228.197.5:443

151.213.189.62:443

24.229.150.54:995

84.72.35.226:443

199.19.117.131:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

564 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1232 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1488 rundll32.exe
1488 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1488 rundll32.exe

pid	process
564	regsvr32.exe

pid	process
1232	schtasks.exe

pid	process
1488	rundll32.exe
1488	rundll32.exe

pid	process
1488	rundll32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1608 wrote to memory of 1488	1608	rundll32.exe	rundll32.exe
PID 1608 wrote to memory of 1488	1608	rundll32.exe	rundll32.exe
PID 1608 wrote to memory of 1488	1608	rundll32.exe	rundll32.exe
PID 1608 wrote to memory of 1488	1608	rundll32.exe	rundll32.exe
PID 1608 wrote to memory of 1488	1608	rundll32.exe	rundll32.exe
PID 1608 wrote to memory of 1488	1608	rundll32.exe	rundll32.exe
PID 1608 wrote to memory of 1488	1608	rundll32.exe	rundll32.exe
PID 1488 wrote to memory of 1380	1488	rundll32.exe	explorer.exe
PID 1488 wrote to memory of 1380	1488	rundll32.exe	explorer.exe
PID 1488 wrote to memory of 1380	1488	rundll32.exe	explorer.exe
PID 1488 wrote to memory of 1380	1488	rundll32.exe	explorer.exe
PID 1488 wrote to memory of 1380	1488	rundll32.exe	explorer.exe
PID 1488 wrote to memory of 1380	1488	rundll32.exe	explorer.exe
PID 1380 wrote to memory of 1232	1380	explorer.exe	schtasks.exe
PID 1380 wrote to memory of 1232	1380	explorer.exe	schtasks.exe
PID 1380 wrote to memory of 1232	1380	explorer.exe	schtasks.exe
PID 1380 wrote to memory of 1232	1380	explorer.exe	schtasks.exe
PID 1820 wrote to memory of 744	1820	taskeng.exe	regsvr32.exe
PID 1820 wrote to memory of 744	1820	taskeng.exe	regsvr32.exe
PID 1820 wrote to memory of 744	1820	taskeng.exe	regsvr32.exe
PID 1820 wrote to memory of 744	1820	taskeng.exe	regsvr32.exe
PID 1820 wrote to memory of 744	1820	taskeng.exe	regsvr32.exe
PID 744 wrote to memory of 564	744	regsvr32.exe	regsvr32.exe
PID 744 wrote to memory of 564	744	regsvr32.exe	regsvr32.exe
PID 744 wrote to memory of 564	744	regsvr32.exe	regsvr32.exe
PID 744 wrote to memory of 564	744	regsvr32.exe	regsvr32.exe
PID 744 wrote to memory of 564	744	regsvr32.exe	regsvr32.exe
PID 744 wrote to memory of 564	744	regsvr32.exe	regsvr32.exe
PID 744 wrote to memory of 564	744	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn awnfnyto /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80.dll\"" /SC ONCE /Z /ST 12:07 /ET 12:19
4⤵
- Creates scheduled task(s)
PID:1232

C:\Windows\system32\taskeng.exe
taskeng.exe {8FFB2E35-2088-4DF1-A7F3-B569A48DF045} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80.dll"
3⤵
- Loads dropped DLL
PID:564

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80.dll
MD5
621d952bf7bcadc949871ac623e2b881

SHA1
40dc7ebd3956590b59df0c8e2ed37960cb96b11c

SHA256
793d15bca780af4ddbdaabc95a3b5cc1db4560858eb892ac8bb9126e86fb6c1c

SHA512
bc81289d0fd93b3657940d3f80309db0898919e2781ea9d8845e4e256aa0299d6e6d7161328ab4f4fddca22bd42887431eff9e2448d6fb843618ad7256fe367d

Download Submit
\Users\Admin\AppData\Local\Temp\cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80.dll
MD5
621d952bf7bcadc949871ac623e2b881

SHA1
40dc7ebd3956590b59df0c8e2ed37960cb96b11c

SHA256
793d15bca780af4ddbdaabc95a3b5cc1db4560858eb892ac8bb9126e86fb6c1c

SHA512
bc81289d0fd93b3657940d3f80309db0898919e2781ea9d8845e4e256aa0299d6e6d7161328ab4f4fddca22bd42887431eff9e2448d6fb843618ad7256fe367d

Download Submit
memory/564-74-0x0000000000000000-mapping.dmp

Download
memory/744-72-0x000007FEFB631000-0x000007FEFB633000-memory.dmp

Filesize
8KB

Download
memory/744-71-0x0000000000000000-mapping.dmp

Download
memory/1232-70-0x0000000000000000-mapping.dmp

Download
memory/1380-66-0x0000000000000000-mapping.dmp

Download
memory/1380-68-0x0000000074131000-0x0000000074133000-memory.dmp

Filesize
8KB

Download
memory/1380-69-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/1488-60-0x0000000000000000-mapping.dmp

Download
memory/1488-65-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/1488-64-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/1488-63-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1488-62-0x0000000000830000-0x0000000000917000-memory.dmp

Filesize
924KB

Download
memory/1488-61-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads