qakbot | 05bd9cbf9725884979435d684a7268a75eb05d5916dc85325b0286e9ed71a038

General

Target

44467.7730002314.dat.dll
Size

750KB
MD5

e2ea31f06e36a66fe29fdad302410e36
SHA1

6e7b7faee6212f233373c559f0e8900f80b7098a
SHA256

05bd9cbf9725884979435d684a7268a75eb05d5916dc85325b0286e9ed71a038
SHA512

87b3af9ce4f72e6c7d2920654f6dde2ed274674bf6b3e3092ab987aceb29c2d47b9ee512a4c044e64a37ba703eff775c575d5cfddb64986eafd2572cab442f87

Score

10^/10

qakbot obama105 1632821932 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama105

Campaign

1632821932

C2

120.151.47.189:443

41.228.22.180:443

39.52.241.3:995

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

196.217.156.63:995

120.150.218.241:995

95.77.223.148:443

185.250.148.74:443

181.118.183.94:443

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1060 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1836 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

1988 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1988 rundll32.exe

pid	process
1060	regsvr32.exe

pid	process
1836	schtasks.exe

pid	process
1988	rundll32.exe

pid	process
1988	rundll32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1980 wrote to memory of 1988	1980	rundll32.exe	rundll32.exe
PID 1980 wrote to memory of 1988	1980	rundll32.exe	rundll32.exe
PID 1980 wrote to memory of 1988	1980	rundll32.exe	rundll32.exe
PID 1980 wrote to memory of 1988	1980	rundll32.exe	rundll32.exe
PID 1980 wrote to memory of 1988	1980	rundll32.exe	rundll32.exe
PID 1980 wrote to memory of 1988	1980	rundll32.exe	rundll32.exe
PID 1980 wrote to memory of 1988	1980	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 1828	1988	rundll32.exe	explorer.exe
PID 1988 wrote to memory of 1828	1988	rundll32.exe	explorer.exe
PID 1988 wrote to memory of 1828	1988	rundll32.exe	explorer.exe
PID 1988 wrote to memory of 1828	1988	rundll32.exe	explorer.exe
PID 1988 wrote to memory of 1828	1988	rundll32.exe	explorer.exe
PID 1988 wrote to memory of 1828	1988	rundll32.exe	explorer.exe
PID 1828 wrote to memory of 1836	1828	explorer.exe	schtasks.exe
PID 1828 wrote to memory of 1836	1828	explorer.exe	schtasks.exe
PID 1828 wrote to memory of 1836	1828	explorer.exe	schtasks.exe
PID 1828 wrote to memory of 1836	1828	explorer.exe	schtasks.exe
PID 568 wrote to memory of 1460	568	taskeng.exe	regsvr32.exe
PID 568 wrote to memory of 1460	568	taskeng.exe	regsvr32.exe
PID 568 wrote to memory of 1460	568	taskeng.exe	regsvr32.exe
PID 568 wrote to memory of 1460	568	taskeng.exe	regsvr32.exe
PID 568 wrote to memory of 1460	568	taskeng.exe	regsvr32.exe
PID 1460 wrote to memory of 1060	1460	regsvr32.exe	regsvr32.exe
PID 1460 wrote to memory of 1060	1460	regsvr32.exe	regsvr32.exe
PID 1460 wrote to memory of 1060	1460	regsvr32.exe	regsvr32.exe
PID 1460 wrote to memory of 1060	1460	regsvr32.exe	regsvr32.exe
PID 1460 wrote to memory of 1060	1460	regsvr32.exe	regsvr32.exe
PID 1460 wrote to memory of 1060	1460	regsvr32.exe	regsvr32.exe
PID 1460 wrote to memory of 1060	1460	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44467.7730002314.dat.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44467.7730002314.dat.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn kfkwenotap /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\44467.7730002314.dat.dll\"" /SC ONCE /Z /ST 17:50 /ET 18:02
4⤵
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\taskeng.exe
taskeng.exe {95A61843-B289-470C-BF03-06E868486472} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\44467.7730002314.dat.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\44467.7730002314.dat.dll"
3⤵
- Loads dropped DLL
PID:1060

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44467.7730002314.dat.dll
MD5
e2ea31f06e36a66fe29fdad302410e36

SHA1
6e7b7faee6212f233373c559f0e8900f80b7098a

SHA256
05bd9cbf9725884979435d684a7268a75eb05d5916dc85325b0286e9ed71a038

SHA512
87b3af9ce4f72e6c7d2920654f6dde2ed274674bf6b3e3092ab987aceb29c2d47b9ee512a4c044e64a37ba703eff775c575d5cfddb64986eafd2572cab442f87

Download Submit
\Users\Admin\AppData\Local\Temp\44467.7730002314.dat.dll
MD5
e2ea31f06e36a66fe29fdad302410e36

SHA1
6e7b7faee6212f233373c559f0e8900f80b7098a

SHA256
05bd9cbf9725884979435d684a7268a75eb05d5916dc85325b0286e9ed71a038

SHA512
87b3af9ce4f72e6c7d2920654f6dde2ed274674bf6b3e3092ab987aceb29c2d47b9ee512a4c044e64a37ba703eff775c575d5cfddb64986eafd2572cab442f87

Download Submit
memory/1060-73-0x0000000000000000-mapping.dmp

Download
memory/1460-70-0x0000000000000000-mapping.dmp

Download
memory/1460-71-0x000007FEFC051000-0x000007FEFC053000-memory.dmp

Filesize
8KB

Download
memory/1828-67-0x0000000074CC1000-0x0000000074CC3000-memory.dmp

Filesize
8KB

Download
memory/1828-69-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1828-65-0x0000000000000000-mapping.dmp

Download
memory/1836-68-0x0000000000000000-mapping.dmp

Download
memory/1988-60-0x0000000000000000-mapping.dmp

Download
memory/1988-64-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1988-63-0x0000000074EA0000-0x0000000074F72000-memory.dmp

Filesize
840KB

Download
memory/1988-62-0x0000000074EA0000-0x0000000074EC1000-memory.dmp

Filesize
132KB

Download
memory/1988-61-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads