qakbot | cf0c686564c106b2da71b916c7d022e77894c6dd48e5dc8fec000254def55f11

General

Target

44467.702902662.dat.dll
Size

750KB
MD5

3adc41a38c53d9798e9be8d135ba47d8
SHA1

854b7b23da76f583e6c157e643e1e0e50dd902e4
SHA256

cf0c686564c106b2da71b916c7d022e77894c6dd48e5dc8fec000254def55f11
SHA512

c9b9302e9ab3fd345b561e856183d15a65b3f042eb168927abc8177538e97bb271cd6bd7bd87411f46671abbc48bafbb997ccdfa4ba4999ce4335059530da581

Score

10^/10

qakbot obama105 1632821932 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama105

Campaign

1632821932

C2

120.151.47.189:443

41.228.22.180:443

39.52.241.3:995

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

196.217.156.63:995

120.150.218.241:995

95.77.223.148:443

185.250.148.74:443

181.118.183.94:443

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4324 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4316 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

4184 rundll32.exe
4184 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

4184 rundll32.exe

pid	process
4324	regsvr32.exe

pid	process
4316	schtasks.exe

pid	process
4184	rundll32.exe
4184	rundll32.exe

pid	process
4184	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 3704 wrote to memory of 4184	3704	rundll32.exe	rundll32.exe
PID 3704 wrote to memory of 4184	3704	rundll32.exe	rundll32.exe
PID 3704 wrote to memory of 4184	3704	rundll32.exe	rundll32.exe
PID 4184 wrote to memory of 4160	4184	rundll32.exe	explorer.exe
PID 4184 wrote to memory of 4160	4184	rundll32.exe	explorer.exe
PID 4184 wrote to memory of 4160	4184	rundll32.exe	explorer.exe
PID 4184 wrote to memory of 4160	4184	rundll32.exe	explorer.exe
PID 4184 wrote to memory of 4160	4184	rundll32.exe	explorer.exe
PID 4160 wrote to memory of 4316	4160	explorer.exe	schtasks.exe
PID 4160 wrote to memory of 4316	4160	explorer.exe	schtasks.exe
PID 4160 wrote to memory of 4316	4160	explorer.exe	schtasks.exe
PID 4348 wrote to memory of 4324	4348	regsvr32.exe	regsvr32.exe
PID 4348 wrote to memory of 4324	4348	regsvr32.exe	regsvr32.exe
PID 4348 wrote to memory of 4324	4348	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44467.702902662.dat.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\44467.702902662.dat.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn sedejdtifb /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\44467.702902662.dat.dll\"" /SC ONCE /Z /ST 15:01 /ET 15:13
      4⤵
      Creates scheduled task(s)
      PID:4316

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\44467.702902662.dat.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\44467.702902662.dat.dll"
  2⤵
  - Loads dropped DLL
  PID:4324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44467.702902662.dat.dll

MD5
3adc41a38c53d9798e9be8d135ba47d8

SHA1
854b7b23da76f583e6c157e643e1e0e50dd902e4

SHA256
cf0c686564c106b2da71b916c7d022e77894c6dd48e5dc8fec000254def55f11

SHA512
c9b9302e9ab3fd345b561e856183d15a65b3f042eb168927abc8177538e97bb271cd6bd7bd87411f46671abbc48bafbb997ccdfa4ba4999ce4335059530da581

Download Submit
\Users\Admin\AppData\Local\Temp\44467.702902662.dat.dll

MD5
3adc41a38c53d9798e9be8d135ba47d8

SHA1
854b7b23da76f583e6c157e643e1e0e50dd902e4

SHA256
cf0c686564c106b2da71b916c7d022e77894c6dd48e5dc8fec000254def55f11

SHA512
c9b9302e9ab3fd345b561e856183d15a65b3f042eb168927abc8177538e97bb271cd6bd7bd87411f46671abbc48bafbb997ccdfa4ba4999ce4335059530da581

Download Submit
memory/4160-119-0x0000000000000000-mapping.dmp

Download
memory/4160-123-0x0000000002A40000-0x0000000002A61000-memory.dmp

Filesize
132KB

Download
memory/4184-115-0x0000000000000000-mapping.dmp

Download
memory/4184-117-0x00000000738D0000-0x00000000739A2000-memory.dmp

Filesize
840KB

Download
memory/4184-116-0x00000000738D0000-0x00000000738F1000-memory.dmp

Filesize
132KB

Download
memory/4184-118-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/4316-120-0x0000000000000000-mapping.dmp

Download
memory/4324-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads