qakbot | e709bd31b9d0f340605499771a33521a09ba3f9b17d19706ecb7748fea93dae5

General

Target

e709bd31b9d0f340605499771a33521a09ba3f9b17d19706ecb7748fea93dae5.dll
Size

512KB
MD5

c12d474142ae599f4b7d3c3decca27c0
SHA1

86326c7cae713774ddf65a90be20a49a86c0a11d
SHA256

e709bd31b9d0f340605499771a33521a09ba3f9b17d19706ecb7748fea93dae5
SHA512

0b4cdf6986fe985d5a9260760e398694315d45b86a33693c851f357a59083c100cc5b88c62e05cf29159b467bef3dc47aa39230cadf79cf62aa7b515b2ec58e3

Score

10^/10

qakbot star01 1634935795 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

star01

Campaign

1634935795

C2

45.9.20.200:443

96.246.158.154:995

67.165.206.193:993

207.246.112.221:443

37.208.181.198:61202

77.255.12.88:443

79.160.207.214:443

216.201.162.158:443

185.53.147.51:443

187.250.109.250:443

173.21.10.71:2222

108.4.67.252:443

93.175.84.127:443

84.117.135.69:443

87.64.241.207:995

207.246.112.221:995

188.50.34.167:995

73.25.109.183:2222

213.177.130.71:443

176.63.117.1:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1340 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

2784 rundll32.exe
2784 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

2784 rundll32.exe

pid	process
1340	schtasks.exe

pid	process
2784	rundll32.exe
2784	rundll32.exe

pid	process
2784	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exe

description	pid	process	target process
PID 3716 wrote to memory of 2784	3716	rundll32.exe	rundll32.exe
PID 3716 wrote to memory of 2784	3716	rundll32.exe	rundll32.exe
PID 3716 wrote to memory of 2784	3716	rundll32.exe	rundll32.exe
PID 2784 wrote to memory of 2232	2784	rundll32.exe	explorer.exe
PID 2784 wrote to memory of 2232	2784	rundll32.exe	explorer.exe
PID 2784 wrote to memory of 2232	2784	rundll32.exe	explorer.exe
PID 2784 wrote to memory of 2232	2784	rundll32.exe	explorer.exe
PID 2784 wrote to memory of 2232	2784	rundll32.exe	explorer.exe
PID 2232 wrote to memory of 1340	2232	explorer.exe	schtasks.exe
PID 2232 wrote to memory of 1340	2232	explorer.exe	schtasks.exe
PID 2232 wrote to memory of 1340	2232	explorer.exe	schtasks.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e709bd31b9d0f340605499771a33521a09ba3f9b17d19706ecb7748fea93dae5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e709bd31b9d0f340605499771a33521a09ba3f9b17d19706ecb7748fea93dae5.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn yuamlzyzp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\e709bd31b9d0f340605499771a33521a09ba3f9b17d19706ecb7748fea93dae5.dll\"" /SC ONCE /Z /ST 23:09 /ET 23:21
4⤵
- Creates scheduled task(s)
PID:1340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1340-119-0x0000000000000000-mapping.dmp

Download
memory/2232-118-0x0000000000000000-mapping.dmp

Download
memory/2232-120-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2232-121-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2232-122-0x00000000007A0000-0x00000000007C1000-memory.dmp

Filesize
132KB

Download
memory/2784-115-0x0000000000000000-mapping.dmp

Download
memory/2784-117-0x0000000010000000-0x0000000010084000-memory.dmp

Filesize
528KB

Download
memory/2784-116-0x00000000030E0000-0x0000000003113000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads