qakbot | 1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe

General

Target

1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe.bin.dll
Size

890KB
MD5

94128f783ebffa5f5203389d3dc26a0e
SHA1

577840a380a9b4f7aeddd00fa21b15a4926755be
SHA256

1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe
SHA512

94afeb12874513354fbf0d23cd7589b962e88efc45a669f01f3f04bde31562b304cd80cdf5d47e75925d4d37292bbe563c0d2f2999e8758520d1858dc4e1765b

Score

10^/10

qakbot biden54 1634810637 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

biden54

Campaign

1634810637

C2

136.143.11.232:443

63.143.92.99:995

182.176.180.73:443

136.232.34.70:443

123.252.190.14:443

216.201.162.158:443

37.208.181.198:61200

140.82.49.12:443

197.89.144.102:443

89.137.52.44:443

109.12.111.14:443

78.191.24.189:995

105.198.236.99:995

196.207.140.40:995

41.235.69.115:443

2.222.167.138:443

117.198.156.56:443

24.231.209.2:6881

27.223.92.142:995

96.246.158.154:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1948 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1908 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

552 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

552 rundll32.exe

pid	process
1948	regsvr32.exe

pid	process
1908	schtasks.exe

pid	process
552	rundll32.exe

pid	process
552	rundll32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 952 wrote to memory of 552	952	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 552	952	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 552	952	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 552	952	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 552	952	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 552	952	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 552	952	rundll32.exe	rundll32.exe
PID 552 wrote to memory of 1116	552	rundll32.exe	explorer.exe
PID 552 wrote to memory of 1116	552	rundll32.exe	explorer.exe
PID 552 wrote to memory of 1116	552	rundll32.exe	explorer.exe
PID 552 wrote to memory of 1116	552	rundll32.exe	explorer.exe
PID 552 wrote to memory of 1116	552	rundll32.exe	explorer.exe
PID 552 wrote to memory of 1116	552	rundll32.exe	explorer.exe
PID 1116 wrote to memory of 1908	1116	explorer.exe	schtasks.exe
PID 1116 wrote to memory of 1908	1116	explorer.exe	schtasks.exe
PID 1116 wrote to memory of 1908	1116	explorer.exe	schtasks.exe
PID 1116 wrote to memory of 1908	1116	explorer.exe	schtasks.exe
PID 880 wrote to memory of 1392	880	taskeng.exe	regsvr32.exe
PID 880 wrote to memory of 1392	880	taskeng.exe	regsvr32.exe
PID 880 wrote to memory of 1392	880	taskeng.exe	regsvr32.exe
PID 880 wrote to memory of 1392	880	taskeng.exe	regsvr32.exe
PID 880 wrote to memory of 1392	880	taskeng.exe	regsvr32.exe
PID 1392 wrote to memory of 1948	1392	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 1948	1392	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 1948	1392	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 1948	1392	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 1948	1392	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 1948	1392	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 1948	1392	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe.bin.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn fkgqree /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe.bin.dll\"" /SC ONCE /Z /ST 17:04 /ET 17:16
4⤵
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\taskeng.exe
taskeng.exe {DDF2568E-E91F-4441-BACE-561B86646F3D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe.bin.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe.bin.dll"
3⤵
- Loads dropped DLL
PID:1948

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe.bin.dll
MD5
94128f783ebffa5f5203389d3dc26a0e

SHA1
577840a380a9b4f7aeddd00fa21b15a4926755be

SHA256
1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe

SHA512
94afeb12874513354fbf0d23cd7589b962e88efc45a669f01f3f04bde31562b304cd80cdf5d47e75925d4d37292bbe563c0d2f2999e8758520d1858dc4e1765b

Download Submit
\Users\Admin\AppData\Local\Temp\1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe.bin.dll
MD5
94128f783ebffa5f5203389d3dc26a0e

SHA1
577840a380a9b4f7aeddd00fa21b15a4926755be

SHA256
1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe

SHA512
94afeb12874513354fbf0d23cd7589b962e88efc45a669f01f3f04bde31562b304cd80cdf5d47e75925d4d37292bbe563c0d2f2999e8758520d1858dc4e1765b

Download Submit
memory/552-55-0x0000000000000000-mapping.dmp

Download
memory/552-56-0x0000000076431000-0x0000000076433000-memory.dmp

Filesize
8KB

Download
memory/552-57-0x00000000748C0000-0x00000000749B3000-memory.dmp

Filesize
972KB

Download
memory/552-59-0x00000000748C0000-0x00000000749B3000-memory.dmp

Filesize
972KB

Download
memory/552-58-0x00000000748C0000-0x00000000748E1000-memory.dmp

Filesize
132KB

Download
memory/552-60-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1116-64-0x00000000744B1000-0x00000000744B3000-memory.dmp

Filesize
8KB

Download
memory/1116-65-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1116-62-0x0000000000000000-mapping.dmp

Download
memory/1116-61-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/1392-67-0x0000000000000000-mapping.dmp

Download
memory/1392-68-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

Filesize
8KB

Download
memory/1908-66-0x0000000000000000-mapping.dmp

Download
memory/1948-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads