1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe.bin

General
Target

1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe.bin.dll

Filesize

890KB

Completed

21-10-2021 15:07

Score
10/10
MD5

94128f783ebffa5f5203389d3dc26a0e

SHA1

577840a380a9b4f7aeddd00fa21b15a4926755be

SHA256

1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe

Malware Config

Extracted

Family qakbot
Version 402.363
Botnet biden54
Campaign 1634810637
C2

136.143.11.232:443

63.143.92.99:995

182.176.180.73:443

136.232.34.70:443

123.252.190.14:443

216.201.162.158:443

37.208.181.198:61200

140.82.49.12:443

197.89.144.102:443

89.137.52.44:443

109.12.111.14:443

78.191.24.189:995

105.198.236.99:995

196.207.140.40:995

41.235.69.115:443

2.222.167.138:443

117.198.156.56:443

24.231.209.2:6881

27.223.92.142:995

96.246.158.154:995

81.250.153.227:2222

120.150.218.241:995

76.25.142.196:443

89.101.97.139:443

81.213.59.22:443

173.21.10.71:2222

103.142.10.177:443

71.74.12.34:443

24.231.209.2:2222

75.188.35.168:443

209.210.95.228:995

73.151.236.31:443

220.255.25.187:2222

187.156.134.254:443

189.175.219.53:80

108.4.67.252:443

209.210.95.228:993

67.165.206.193:993

173.25.162.221:443

100.1.119.41:443

93.48.58.123:2222

65.100.174.110:443

201.137.10.225:443

24.229.150.54:995

146.66.238.74:443

68.204.7.158:443

37.208.181.198:443

41.86.42.158:995

189.135.16.92:443

187.75.66.160:995
Attributes
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures 6

Filter: none

Persistence
  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    Tags

  • Loads dropped DLL
    regsvr32.exe

    Reported IOCs

    pidprocess
    1948regsvr32.exe
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    Tags

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1908schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    552rundll32.exe
  • Suspicious behavior: MapViewOfSection
    rundll32.exe

    Reported IOCs

    pidprocess
    552rundll32.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 952 wrote to memory of 552952rundll32.exerundll32.exe
    PID 952 wrote to memory of 552952rundll32.exerundll32.exe
    PID 952 wrote to memory of 552952rundll32.exerundll32.exe
    PID 952 wrote to memory of 552952rundll32.exerundll32.exe
    PID 952 wrote to memory of 552952rundll32.exerundll32.exe
    PID 952 wrote to memory of 552952rundll32.exerundll32.exe
    PID 952 wrote to memory of 552952rundll32.exerundll32.exe
    PID 552 wrote to memory of 1116552rundll32.exeexplorer.exe
    PID 552 wrote to memory of 1116552rundll32.exeexplorer.exe
    PID 552 wrote to memory of 1116552rundll32.exeexplorer.exe
    PID 552 wrote to memory of 1116552rundll32.exeexplorer.exe
    PID 552 wrote to memory of 1116552rundll32.exeexplorer.exe
    PID 552 wrote to memory of 1116552rundll32.exeexplorer.exe
    PID 1116 wrote to memory of 19081116explorer.exeschtasks.exe
    PID 1116 wrote to memory of 19081116explorer.exeschtasks.exe
    PID 1116 wrote to memory of 19081116explorer.exeschtasks.exe
    PID 1116 wrote to memory of 19081116explorer.exeschtasks.exe
    PID 880 wrote to memory of 1392880taskeng.exeregsvr32.exe
    PID 880 wrote to memory of 1392880taskeng.exeregsvr32.exe
    PID 880 wrote to memory of 1392880taskeng.exeregsvr32.exe
    PID 880 wrote to memory of 1392880taskeng.exeregsvr32.exe
    PID 880 wrote to memory of 1392880taskeng.exeregsvr32.exe
    PID 1392 wrote to memory of 19481392regsvr32.exeregsvr32.exe
    PID 1392 wrote to memory of 19481392regsvr32.exeregsvr32.exe
    PID 1392 wrote to memory of 19481392regsvr32.exeregsvr32.exe
    PID 1392 wrote to memory of 19481392regsvr32.exeregsvr32.exe
    PID 1392 wrote to memory of 19481392regsvr32.exeregsvr32.exe
    PID 1392 wrote to memory of 19481392regsvr32.exeregsvr32.exe
    PID 1392 wrote to memory of 19481392regsvr32.exeregsvr32.exe
Processes 7
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe.bin.dll,#1
    Suspicious use of WriteProcessMemory
    PID:952
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe.bin.dll,#1
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:552
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        Suspicious use of WriteProcessMemory
        PID:1116
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn fkgqree /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe.bin.dll\"" /SC ONCE /Z /ST 17:04 /ET 17:16
          Creates scheduled task(s)
          PID:1908
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {DDF2568E-E91F-4441-BACE-561B86646F3D} S-1-5-18:NT AUTHORITY\System:Service:
    Suspicious use of WriteProcessMemory
    PID:880
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe.bin.dll"
      Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\SysWOW64\regsvr32.exe
        -s "C:\Users\Admin\AppData\Local\Temp\1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe.bin.dll"
        Loads dropped DLL
        PID:1948
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe.bin.dll

                          MD5

                          94128f783ebffa5f5203389d3dc26a0e

                          SHA1

                          577840a380a9b4f7aeddd00fa21b15a4926755be

                          SHA256

                          1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe

                          SHA512

                          94afeb12874513354fbf0d23cd7589b962e88efc45a669f01f3f04bde31562b304cd80cdf5d47e75925d4d37292bbe563c0d2f2999e8758520d1858dc4e1765b

                          Download Submit

                        • \Users\Admin\AppData\Local\Temp\1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe.bin.dll

                          MD5

                          94128f783ebffa5f5203389d3dc26a0e

                          SHA1

                          577840a380a9b4f7aeddd00fa21b15a4926755be

                          SHA256

                          1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe

                          SHA512

                          94afeb12874513354fbf0d23cd7589b962e88efc45a669f01f3f04bde31562b304cd80cdf5d47e75925d4d37292bbe563c0d2f2999e8758520d1858dc4e1765b

                          Download Submit

                        • memory/552-56-0x0000000076431000-0x0000000076433000-memory.dmp

                          Download

                        • memory/552-57-0x00000000748C0000-0x00000000749B3000-memory.dmp

                          Download

                        • memory/552-59-0x00000000748C0000-0x00000000749B3000-memory.dmp

                          Download

                        • memory/552-58-0x00000000748C0000-0x00000000748E1000-memory.dmp

                          Download

                        • memory/552-60-0x0000000000180000-0x0000000000181000-memory.dmp

                          Download

                        • memory/552-55-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1116-62-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1116-65-0x0000000000080000-0x00000000000A1000-memory.dmp

                          Download

                        • memory/1116-61-0x00000000000B0000-0x00000000000B2000-memory.dmp

                          Download

                        • memory/1116-64-0x00000000744B1000-0x00000000744B3000-memory.dmp

                          Download

                        • memory/1392-67-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1392-68-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

                          Download

                        • memory/1908-66-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1948-70-0x0000000000000000-mapping.dmp

                          Download