qakbot | 175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6

General

Target

175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6.dll
Size

963KB
MD5

16f84c82e6f0d47389f70d59d395778d
SHA1

2bc9c1965b0996d9f2e931f1a83dcf81ffd66876
SHA256

175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6
SHA512

78b6b58a857f54038daf1769ec52c23bd2fc5a4d79e3fa4dcd4df2c2a2bbc7a10f2d456a710f1b8ea1fdc67a666933204072e4f361c27101105de61e4efd751b

Score

10^/10

qakbot domain02 1613028094 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

401.138

Botnet

domain02

Campaign

1613028094

C2

32.210.98.6:443

70.49.88.199:2222

151.205.102.42:443

178.152.79.153:995

216.195.46.163:2222

72.252.201.69:443

90.65.236.181:2222

98.173.34.212:995

97.69.160.4:2222

69.245.102.225:443

144.139.166.18:443

73.25.124.140:2222

189.223.205.126:443

157.131.108.180:443

71.197.126.250:443

73.228.197.5:443

151.213.189.62:443

24.229.150.54:995

84.72.35.226:443

199.19.117.131:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1008 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1312 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1512 rundll32.exe
1512 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1512 rundll32.exe

pid	process
1008	regsvr32.exe

pid	process
1312	schtasks.exe

pid	process
1512	rundll32.exe
1512	rundll32.exe

pid	process
1512	rundll32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1776 wrote to memory of 1512	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1512	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1512	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1512	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1512	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1512	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1512	1776	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 1340	1512	rundll32.exe	explorer.exe
PID 1512 wrote to memory of 1340	1512	rundll32.exe	explorer.exe
PID 1512 wrote to memory of 1340	1512	rundll32.exe	explorer.exe
PID 1512 wrote to memory of 1340	1512	rundll32.exe	explorer.exe
PID 1512 wrote to memory of 1340	1512	rundll32.exe	explorer.exe
PID 1512 wrote to memory of 1340	1512	rundll32.exe	explorer.exe
PID 1340 wrote to memory of 1312	1340	explorer.exe	schtasks.exe
PID 1340 wrote to memory of 1312	1340	explorer.exe	schtasks.exe
PID 1340 wrote to memory of 1312	1340	explorer.exe	schtasks.exe
PID 1340 wrote to memory of 1312	1340	explorer.exe	schtasks.exe
PID 1004 wrote to memory of 328	1004	taskeng.exe	regsvr32.exe
PID 1004 wrote to memory of 328	1004	taskeng.exe	regsvr32.exe
PID 1004 wrote to memory of 328	1004	taskeng.exe	regsvr32.exe
PID 1004 wrote to memory of 328	1004	taskeng.exe	regsvr32.exe
PID 1004 wrote to memory of 328	1004	taskeng.exe	regsvr32.exe
PID 328 wrote to memory of 1008	328	regsvr32.exe	regsvr32.exe
PID 328 wrote to memory of 1008	328	regsvr32.exe	regsvr32.exe
PID 328 wrote to memory of 1008	328	regsvr32.exe	regsvr32.exe
PID 328 wrote to memory of 1008	328	regsvr32.exe	regsvr32.exe
PID 328 wrote to memory of 1008	328	regsvr32.exe	regsvr32.exe
PID 328 wrote to memory of 1008	328	regsvr32.exe	regsvr32.exe
PID 328 wrote to memory of 1008	328	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn zuhkkmj /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6.dll\"" /SC ONCE /Z /ST 12:06 /ET 12:18
4⤵
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\taskeng.exe
taskeng.exe {A53EBE0C-2A8D-4F75-9053-752ECA673B98} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6.dll"
3⤵
- Loads dropped DLL
PID:1008

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6.dll
MD5
75875e215a4257db8bd78f1197a48444

SHA1
19fe05902ac323945474b825b2c9af0d85982066

SHA256
a8885d3c1e89889c1483123c4e292ea3ba4bba43cff8dcf86eb0ec888e560d73

SHA512
a05fea25702270195ac548dc7b0642fecece5513b77cc03673c1b6002f79968b637bbb3c176e1075cf26ec776199a16e9b6933843b591dd4b2411457d226d031

Download Submit
\Users\Admin\AppData\Local\Temp\175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6.dll
MD5
75875e215a4257db8bd78f1197a48444

SHA1
19fe05902ac323945474b825b2c9af0d85982066

SHA256
a8885d3c1e89889c1483123c4e292ea3ba4bba43cff8dcf86eb0ec888e560d73

SHA512
a05fea25702270195ac548dc7b0642fecece5513b77cc03673c1b6002f79968b637bbb3c176e1075cf26ec776199a16e9b6933843b591dd4b2411457d226d031

Download Submit
memory/328-72-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download
memory/328-71-0x0000000000000000-mapping.dmp

Download
memory/1008-74-0x0000000000000000-mapping.dmp

Download
memory/1312-69-0x0000000000000000-mapping.dmp

Download
memory/1340-70-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/1340-68-0x0000000074491000-0x0000000074493000-memory.dmp

Filesize
8KB

Download
memory/1340-66-0x0000000000000000-mapping.dmp

Download
memory/1512-60-0x0000000000000000-mapping.dmp

Download
memory/1512-64-0x0000000000240000-0x0000000000273000-memory.dmp

Filesize
204KB

Download
memory/1512-65-0x0000000000700000-0x0000000000735000-memory.dmp

Filesize
212KB

Download
memory/1512-63-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1512-62-0x0000000001C60000-0x0000000001D55000-memory.dmp

Filesize
980KB

Download
memory/1512-61-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads