ocrafh.html

max time kernel130s
max time network114s
platformwindows10_x64
resourcewin10v20210408
submitted12-10-2021 13:05

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

ocrafh.html.dll

Filesize

819KB

Completed

12-10-2021 13:08

Score

10^/10

MD5

2897721785645ad5b2a8fb524ed650c0

SHA1

d836fa75f0682b4c393418231aefca97169d551e

SHA256

956ecb4afa437eafe56f958b34b6a78303ad626baee004715dc6634b7546bf85

qakbot tr 1633597626 banker stealer trojan

Extracted

Family	qakbot
Version	402.363
Botnet	tr
Campaign	1633597626
C2	120.150.218.241:995 185.250.148.74:443 89.137.52.44:443 66.103.170.104:2222 86.8.177.143:443 216.201.162.158:443 174.54.193.186:443 103.148.120.144:443 188.50.169.158:443 124.123.42.115:2222 140.82.49.12:443 199.27.127.129:443 81.241.252.59:2078 209.142.97.161:995 209.50.20.255:443 73.230.205.91:443 200.232.214.222:995 103.142.10.177:443 2.222.167.138:443 41.228.22.180:443 122.11.220.212:2222 78.191.58.219:995 47.22.148.6:443 74.72.237.54:443 217.17.56.163:465 96.57.188.174:2078 94.200.181.154:443 37.210.152.224:995 201.93.111.2:995 202.134.178.157:443 89.101.97.139:443 73.52.50.32:443 188.55.235.110:995 27.223.92.142:995 181.118.183.94:443 136.232.34.70:443 186.32.163.199:443 72.173.78.211:443 76.25.142.196:443 45.46.53.140:2222 98.157.235.126:443 173.21.10.71:2222 73.151.236.31:443 71.74.12.34:443 75.75.179.226:443 167.248.117.81:443 67.165.206.193:993 47.40.196.233:2222 72.252.201.69:443 181.4.53.6:465 109.12.111.14:443 24.171.50.5:443 24.139.72.117:443 24.55.112.61:443 24.229.150.54:995 77.57.204.78:443 81.250.153.227:2222 49.33.237.65:443 66.177.215.152:50010 177.170.201.134:995 75.188.35.168:443 120.151.47.189:443 173.25.162.221:443 201.6.246.227:995 66.177.215.152:443 217.17.56.163:2222 202.165.32.158:2222 39.52.229.8:995 42.60.70.14:443 73.140.38.124:443 167.248.100.227:443 63.70.164.200:443 69.30.186.190:443 189.131.221.201:443 68.204.7.158:443 181.84.114.46:443 167.248.99.149:443 177.94.21.110:995 50.54.32.149:443 189.224.181.39:443 24.119.214.7:443 63.70.164.200:995 177.94.125.59:995 82.18.173.253:2222 73.130.180.25:443 217.17.56.163:2078 162.244.227.34:443 75.66.88.33:443 206.47.134.234:2222 167.248.54.34:2222 73.77.87.137:443 181.4.53.6:443 190.198.206.189:2222 167.248.111.245:443 96.46.103.226:443 73.25.124.140:2222 24.152.219.253:995 68.186.192.69:443 162.210.220.137:443 174.54.58.170:443 103.246.130.114:1194 103.246.130.35:21 103.246.130.2:20 103.246.130.122:20 105.198.236.99:443 103.157.122.198:995 4.34.193.180:995 159.2.51.200:2222 110.174.64.179:995 187.101.25.96:32100 76.84.230.103:443 174.59.35.191:443 173.63.245.129:443 68.117.229.117:443 75.163.81.130:995 76.84.32.159:443 147.92.51.49:443 76.84.226.17:443 68.13.157.69:443 167.248.126.223:443 72.196.22.184:443 98.22.92.139:995 97.98.130.50:443 196.117.224.53:995 191.191.38.8:443 188.210.210.122:443 96.46.103.109:2222 37.117.191.19:2222 197.90.137.161:61201 24.32.174.175:443 76.84.225.21:443 78.145.153.73:995 69.30.190.105:995 167.248.81.60:443 69.80.113.148:443 217.17.56.163:443 62.23.194.38:443 62.23.194.41:995 189.210.115.207:443 174.59.226.6:443 73.130.237.36:443 69.253.197.100:443 174.59.242.9:443 120.150.218.241:995 185.250.148.74:443 89.137.52.44:443 66.103.170.104:2222 86.8.177.143:443 216.201.162.158:443 174.54.193.186:443 103.148.120.144:443 188.50.169.158:443 124.123.42.115:2222 140.82.49.12:443 199.27.127.129:443 81.241.252.59:2078 209.142.97.161:995 209.50.20.255:443 73.230.205.91:443 200.232.214.222:995 103.142.10.177:443 2.222.167.138:443 41.228.22.180:443 122.11.220.212:2222 78.191.58.219:995 47.22.148.6:443 74.72.237.54:443 217.17.56.163:465 96.57.188.174:2078 94.200.181.154:443 37.210.152.224:995 201.93.111.2:995 202.134.178.157:443 89.101.97.139:443 73.52.50.32:443 188.55.235.110:995 27.223.92.142:995 181.118.183.94:443 136.232.34.70:443 186.32.163.199:443 72.173.78.211:443 76.25.142.196:443 45.46.53.140:2222 98.157.235.126:443 173.21.10.71:2222 73.151.236.31:443 71.74.12.34:443 75.75.179.226:443 167.248.117.81:443 67.165.206.193:993 47.40.196.233:2222 72.252.201.69:443 181.4.53.6:465 109.12.111.14:443 24.171.50.5:443 24.139.72.117:443 24.55.112.61:443 24.229.150.54:995 77.57.204.78:443 81.250.153.227:2222 49.33.237.65:443 66.177.215.152:50010 177.170.201.134:995 75.188.35.168:443 120.151.47.189:443 173.25.162.221:443 201.6.246.227:995 66.177.215.152:443 217.17.56.163:2222 202.165.32.158:2222 39.52.229.8:995 42.60.70.14:443 73.140.38.124:443 167.248.100.227:443 63.70.164.200:443 69.30.186.190:443 189.131.221.201:443 68.204.7.158:443 181.84.114.46:443 167.248.99.149:443 177.94.21.110:995 50.54.32.149:443 189.224.181.39:443 24.119.214.7:443 63.70.164.200:995 177.94.125.59:995 82.18.173.253:2222 73.130.180.25:443 217.17.56.163:2078 162.244.227.34:443 75.66.88.33:443 206.47.134.234:2222 167.248.54.34:2222 73.77.87.137:443 181.4.53.6:443 190.198.206.189:2222 167.248.111.245:443 96.46.103.226:443 73.25.124.140:2222 24.152.219.253:995 68.186.192.69:443 162.210.220.137:443 174.54.58.170:443 103.246.130.114:1194 103.246.130.35:21 103.246.130.2:20 103.246.130.122:20 105.198.236.99:443 103.157.122.198:995 4.34.193.180:995 159.2.51.200:2222 110.174.64.179:995 187.101.25.96:32100 76.84.230.103:443 174.59.35.191:443 173.63.245.129:443 68.117.229.117:443 75.163.81.130:995 76.84.32.159:443 147.92.51.49:443 76.84.226.17:443 68.13.157.69:443 167.248.126.223:443 72.196.22.184:443 98.22.92.139:995 97.98.130.50:443 196.117.224.53:995 191.191.38.8:443 188.210.210.122:443 96.46.103.109:2222 37.117.191.19:2222 197.90.137.161:61201 24.32.174.175:443 76.84.225.21:443 78.145.153.73:995 69.30.190.105:995 167.248.81.60:443 69.80.113.148:443 217.17.56.163:443 62.23.194.38:443 62.23.194.41:995 189.210.115.207:443 174.59.226.6:443 73.130.237.36:443 69.253.197.100:443 174.59.242.9:443

Persistence

Qakbot/Qbot

Description

Qbot or Qakbot is a sophisticated worm with banking capabilities.

Tags

trojan banker stealer qakbot
Loads dropped DLL
regsvr32.exe

Reported IOCs

pid process

2124 regsvr32.exe
Creates scheduled task(s)
schtasks.exe

Description

Schtasks is often used by malware for persistence or to perform post-infection execution.

Tags

persistence

TTPs

Scheduled Task

Reported IOCs

pid process

3600 schtasks.exe
Suspicious behavior: EnumeratesProcesses
rundll32.exe

Reported IOCs

pid process

3156 rundll32.exe
3156 rundll32.exe
Suspicious behavior: MapViewOfSection
rundll32.exe

Reported IOCs

pid process

3156 rundll32.exe

pid	process
2124	regsvr32.exe

pid	process
3600	schtasks.exe

pid	process
3156	rundll32.exe
3156	rundll32.exe

pid	process
3156	rundll32.exe

Suspicious use of WriteProcessMemory

rundll32.exerundll32.exeexplorer.exeregsvr32.exe

Reported IOCs

description	pid	process	target process
PID 532 wrote to memory of 3156	532	rundll32.exe	rundll32.exe
PID 532 wrote to memory of 3156	532	rundll32.exe	rundll32.exe
PID 532 wrote to memory of 3156	532	rundll32.exe	rundll32.exe
PID 3156 wrote to memory of 3016	3156	rundll32.exe	explorer.exe
PID 3156 wrote to memory of 3016	3156	rundll32.exe	explorer.exe
PID 3156 wrote to memory of 3016	3156	rundll32.exe	explorer.exe
PID 3156 wrote to memory of 3016	3156	rundll32.exe	explorer.exe
PID 3156 wrote to memory of 3016	3156	rundll32.exe	explorer.exe
PID 3016 wrote to memory of 3600	3016	explorer.exe	schtasks.exe
PID 3016 wrote to memory of 3600	3016	explorer.exe	schtasks.exe
PID 3016 wrote to memory of 3600	3016	explorer.exe	schtasks.exe
PID 2004 wrote to memory of 2124	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 2124	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 2124	2004	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ocrafh.html.dll,#1

Suspicious use of WriteProcessMemory

PID:532

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ocrafh.html.dll,#1

Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory

PID:3156

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Suspicious use of WriteProcessMemory

PID:3016

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn aernstdhol /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\ocrafh.html.dll\"" /SC ONCE /Z /ST 20:24 /ET 20:36

Creates scheduled task(s)

PID:3600

\??\c:\windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\ocrafh.html.dll"

Suspicious use of WriteProcessMemory

PID:2004

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\ocrafh.html.dll"

Loads dropped DLL

PID:2124

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Scheduled Task

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\ocrafh.html.dll
MD5
2897721785645ad5b2a8fb524ed650c0

SHA1
d836fa75f0682b4c393418231aefca97169d551e

SHA256
956ecb4afa437eafe56f958b34b6a78303ad626baee004715dc6634b7546bf85

SHA512
f40e3cd7ab855c3d5513efb0c84b831a538226a8baa7d743368989dcb5461b3d0ef7dd5cdd9a538a48835aebe60044e9bfdc063e5fb19cce7fecabe213c2786a

Download Submit
\Users\Admin\AppData\Local\Temp\ocrafh.html.dll
MD5
2897721785645ad5b2a8fb524ed650c0

SHA1
d836fa75f0682b4c393418231aefca97169d551e

SHA256
956ecb4afa437eafe56f958b34b6a78303ad626baee004715dc6634b7546bf85

SHA512
f40e3cd7ab855c3d5513efb0c84b831a538226a8baa7d743368989dcb5461b3d0ef7dd5cdd9a538a48835aebe60044e9bfdc063e5fb19cce7fecabe213c2786a

Download Submit
memory/2124-125-0x0000000000000000-mapping.dmp

Download
memory/3016-123-0x0000000000160000-0x0000000000161000-memory.dmp

Download
memory/3016-122-0x0000000000160000-0x0000000000161000-memory.dmp

Download
memory/3016-119-0x0000000000000000-mapping.dmp

Download
memory/3016-120-0x0000000000960000-0x0000000000981000-memory.dmp

Download
memory/3156-118-0x00000000034F0000-0x00000000034F1000-memory.dmp

Download
memory/3156-116-0x0000000074240000-0x0000000074261000-memory.dmp

Download
memory/3156-117-0x0000000074240000-0x00000000743B1000-memory.dmp

Download
memory/3156-115-0x0000000074240000-0x00000000743B1000-memory.dmp

Download
memory/3156-114-0x0000000000000000-mapping.dmp

Download
memory/3600-121-0x0000000000000000-mapping.dmp

Download

ocrafh.html

Extracted

Filter: none

Description

Tags

Reported IOCs

Description

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title