qakbot | a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5

General

Target

a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5.dll
Size

1.0MB
MD5

f8bedd553a00abdc81ae847d21e958a1
SHA1

1b5ac0acbba430c9e4ccad70a59eb2dedc9b0f5b
SHA256

a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5
SHA512

d0089483de35cda1b5fd0e498f7af2f3d471d08fd86cd7efb00df75e9a41fecaccfedfb34f048d69f2663062fd177e823c1213831ce22e0076506ed5eeb35b4e

Score

10^/10

qakbot domain02 1613028094 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

401.138

Botnet

domain02

Campaign

1613028094

C2

32.210.98.6:443

70.49.88.199:2222

151.205.102.42:443

178.152.79.153:995

216.195.46.163:2222

72.252.201.69:443

90.65.236.181:2222

98.173.34.212:995

97.69.160.4:2222

69.245.102.225:443

144.139.166.18:443

73.25.124.140:2222

189.223.205.126:443

157.131.108.180:443

71.197.126.250:443

73.228.197.5:443

151.213.189.62:443

24.229.150.54:995

84.72.35.226:443

199.19.117.131:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

744 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

268 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1984 rundll32.exe
1984 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1984 rundll32.exe

pid	process
744	regsvr32.exe

pid	process
268	schtasks.exe

pid	process
1984	rundll32.exe
1984	rundll32.exe

pid	process
1984	rundll32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1820 wrote to memory of 1984	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 1984	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 1984	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 1984	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 1984	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 1984	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 1984	1820	rundll32.exe	rundll32.exe
PID 1984 wrote to memory of 1624	1984	rundll32.exe	explorer.exe
PID 1984 wrote to memory of 1624	1984	rundll32.exe	explorer.exe
PID 1984 wrote to memory of 1624	1984	rundll32.exe	explorer.exe
PID 1984 wrote to memory of 1624	1984	rundll32.exe	explorer.exe
PID 1984 wrote to memory of 1624	1984	rundll32.exe	explorer.exe
PID 1984 wrote to memory of 1624	1984	rundll32.exe	explorer.exe
PID 1624 wrote to memory of 268	1624	explorer.exe	schtasks.exe
PID 1624 wrote to memory of 268	1624	explorer.exe	schtasks.exe
PID 1624 wrote to memory of 268	1624	explorer.exe	schtasks.exe
PID 1624 wrote to memory of 268	1624	explorer.exe	schtasks.exe
PID 1876 wrote to memory of 1488	1876	taskeng.exe	regsvr32.exe
PID 1876 wrote to memory of 1488	1876	taskeng.exe	regsvr32.exe
PID 1876 wrote to memory of 1488	1876	taskeng.exe	regsvr32.exe
PID 1876 wrote to memory of 1488	1876	taskeng.exe	regsvr32.exe
PID 1876 wrote to memory of 1488	1876	taskeng.exe	regsvr32.exe
PID 1488 wrote to memory of 744	1488	regsvr32.exe	regsvr32.exe
PID 1488 wrote to memory of 744	1488	regsvr32.exe	regsvr32.exe
PID 1488 wrote to memory of 744	1488	regsvr32.exe	regsvr32.exe
PID 1488 wrote to memory of 744	1488	regsvr32.exe	regsvr32.exe
PID 1488 wrote to memory of 744	1488	regsvr32.exe	regsvr32.exe
PID 1488 wrote to memory of 744	1488	regsvr32.exe	regsvr32.exe
PID 1488 wrote to memory of 744	1488	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn caxdbkvrv /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5.dll\"" /SC ONCE /Z /ST 12:07 /ET 12:19
4⤵
- Creates scheduled task(s)
PID:268

C:\Windows\system32\taskeng.exe
taskeng.exe {2BC6D3EA-0FDD-4541-8EA4-6C03190FEF3B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5.dll"
3⤵
- Loads dropped DLL
PID:744

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5.dll
MD5
864cd0daa68f0de200d300c920379707

SHA1
111cba00ad96629d105b9c789879252069ee2df4

SHA256
c2afd7e268e23237d0f474405c766894cdfda799f17f67e5c478ee5c83081f44

SHA512
b3959d4655b4efabbbf6aa6c2e96623bb189c1a5df0e87aa64fb5aa58e4d530a61a0f8a8a2b41e526575a0cfd74d4b4687b2e5487d41cea9c92124e236f46acc

Download Submit
\Users\Admin\AppData\Local\Temp\a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5.dll
MD5
864cd0daa68f0de200d300c920379707

SHA1
111cba00ad96629d105b9c789879252069ee2df4

SHA256
c2afd7e268e23237d0f474405c766894cdfda799f17f67e5c478ee5c83081f44

SHA512
b3959d4655b4efabbbf6aa6c2e96623bb189c1a5df0e87aa64fb5aa58e4d530a61a0f8a8a2b41e526575a0cfd74d4b4687b2e5487d41cea9c92124e236f46acc

Download Submit
memory/268-69-0x0000000000000000-mapping.dmp

Download
memory/744-74-0x0000000000000000-mapping.dmp

Download
memory/1488-72-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp

Filesize
8KB

Download
memory/1488-71-0x0000000000000000-mapping.dmp

Download
memory/1624-70-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/1624-68-0x00000000748F1000-0x00000000748F3000-memory.dmp

Filesize
8KB

Download
memory/1624-66-0x0000000000000000-mapping.dmp

Download
memory/1984-60-0x0000000000000000-mapping.dmp

Download
memory/1984-65-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1984-64-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/1984-63-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1984-62-0x0000000000540000-0x0000000000647000-memory.dmp

Filesize
1.0MB

Download
memory/1984-61-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads