qakbot | 956ecb4afa437eafe56f958b34b6a78303ad626baee004715dc6634b7546bf85

General

Target

ocrafh.html.dll
Size

819KB
MD5

2897721785645ad5b2a8fb524ed650c0
SHA1

d836fa75f0682b4c393418231aefca97169d551e
SHA256

956ecb4afa437eafe56f958b34b6a78303ad626baee004715dc6634b7546bf85
SHA512

f40e3cd7ab855c3d5513efb0c84b831a538226a8baa7d743368989dcb5461b3d0ef7dd5cdd9a538a48835aebe60044e9bfdc063e5fb19cce7fecabe213c2786a

Score

10^/10

qakbot tr 1633597626 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1633597626

C2

120.150.218.241:995

185.250.148.74:443

89.137.52.44:443

66.103.170.104:2222

86.8.177.143:443

216.201.162.158:443

174.54.193.186:443

103.148.120.144:443

188.50.169.158:443

124.123.42.115:2222

140.82.49.12:443

199.27.127.129:443

81.241.252.59:2078

209.142.97.161:995

209.50.20.255:443

73.230.205.91:443

200.232.214.222:995

103.142.10.177:443

2.222.167.138:443

41.228.22.180:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2124 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3600 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3156 rundll32.exe
3156 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

3156 rundll32.exe

pid	process
2124	regsvr32.exe

pid	process
3600	schtasks.exe

pid	process
3156	rundll32.exe
3156	rundll32.exe

pid	process
3156	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 532 wrote to memory of 3156	532	rundll32.exe	rundll32.exe
PID 532 wrote to memory of 3156	532	rundll32.exe	rundll32.exe
PID 532 wrote to memory of 3156	532	rundll32.exe	rundll32.exe
PID 3156 wrote to memory of 3016	3156	rundll32.exe	explorer.exe
PID 3156 wrote to memory of 3016	3156	rundll32.exe	explorer.exe
PID 3156 wrote to memory of 3016	3156	rundll32.exe	explorer.exe
PID 3156 wrote to memory of 3016	3156	rundll32.exe	explorer.exe
PID 3156 wrote to memory of 3016	3156	rundll32.exe	explorer.exe
PID 3016 wrote to memory of 3600	3016	explorer.exe	schtasks.exe
PID 3016 wrote to memory of 3600	3016	explorer.exe	schtasks.exe
PID 3016 wrote to memory of 3600	3016	explorer.exe	schtasks.exe
PID 2004 wrote to memory of 2124	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 2124	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 2124	2004	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ocrafh.html.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ocrafh.html.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn aernstdhol /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\ocrafh.html.dll\"" /SC ONCE /Z /ST 20:24 /ET 20:36
4⤵
- Creates scheduled task(s)
PID:3600

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\ocrafh.html.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\ocrafh.html.dll"
2⤵
- Loads dropped DLL
PID:2124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ocrafh.html.dll
MD5
2897721785645ad5b2a8fb524ed650c0

SHA1
d836fa75f0682b4c393418231aefca97169d551e

SHA256
956ecb4afa437eafe56f958b34b6a78303ad626baee004715dc6634b7546bf85

SHA512
f40e3cd7ab855c3d5513efb0c84b831a538226a8baa7d743368989dcb5461b3d0ef7dd5cdd9a538a48835aebe60044e9bfdc063e5fb19cce7fecabe213c2786a

Download Submit
\Users\Admin\AppData\Local\Temp\ocrafh.html.dll
MD5
2897721785645ad5b2a8fb524ed650c0

SHA1
d836fa75f0682b4c393418231aefca97169d551e

SHA256
956ecb4afa437eafe56f958b34b6a78303ad626baee004715dc6634b7546bf85

SHA512
f40e3cd7ab855c3d5513efb0c84b831a538226a8baa7d743368989dcb5461b3d0ef7dd5cdd9a538a48835aebe60044e9bfdc063e5fb19cce7fecabe213c2786a

Download Submit
memory/2124-125-0x0000000000000000-mapping.dmp

Download
memory/3016-123-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/3016-119-0x0000000000000000-mapping.dmp

Download
memory/3016-120-0x0000000000960000-0x0000000000981000-memory.dmp

Filesize
132KB

Download
memory/3016-122-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/3156-118-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3156-114-0x0000000000000000-mapping.dmp

Download
memory/3156-116-0x0000000074240000-0x0000000074261000-memory.dmp

Filesize
132KB

Download
memory/3156-117-0x0000000074240000-0x00000000743B1000-memory.dmp

Filesize
1.4MB

Download
memory/3156-115-0x0000000074240000-0x00000000743B1000-memory.dmp

Filesize
1.4MB

Download
memory/3600-121-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads