Overview

overview

10

Static

static

029b714502...39.dll

windows10_x64

10

061dfb6a25...52.dll

windows10_x64

10

06d55f75d7...d2.dll

windows10_x64

10

24401ac43b...65.dll

windows10_x64

3

260e2d5769...40.dll

windows10_x64

10

26cd036960...18.dll

windows10_x64

10

2a0a88a2e5...4a.dll

windows10_x64

3

2f33217d51...94.dll

windows10_x64

10

336cdd146b...da.dll

windows10_x64

10

417c1828d9...73.dll

windows10_x64

10

4d3095c796...ee.dll

windows10_x64

10

54e526fe05...4c.dll

windows10_x64

1

6402b33d72...3b.dll

windows10_x64

10

64c044cb3e...db.dll

windows10_x64

10

671f477c30...4e.dll

windows10_x64

10

67785724b6...ce.dll

windows10_x64

3

6c6934613a...fb.dll

windows10_x64

10

6f63742c25...fd.dll

windows10_x64

10

813a9b03c6...48.dll

windows10_x64

10

839ac59a78...e3.dll

windows10_x64

10

85d0b72fe8...39.dll

windows10_x64

10

a34cb4049e...c4.dll

windows10_x64

10

a55c19c552...60.dll

windows10_x64

10

a98e988f03...48.dll

windows10_x64

10

acc31f97c3...27.dll

windows10_x64

10

b194eec1e5...c7.dll

windows10_x64

10

bac73f9cce...00.dll

windows10_x64

10

c5d2f0da18...0c.dll

windows10_x64

10

d559ee0a26...7e.dll

windows10_x64

1

db5276c0d5...79.dll

windows10_x64

10

e5efde9740...15.dll

windows10_x64

10

fe028e6f99...1c.dll

windows10_x64

10

Resubmissions

01-11-2021 12:31

211101-pp5r3ahha4 10

31-10-2021 09:03

211031-k1bwxacfaq 10

14-10-2021 01:44

211014-b6aflafeg4 10

Analysis

  • max time kernel
    3875s
  • max time network
    3890s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    31-10-2021 09:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll

  • Size

    1.0MB

  • MD5

    10c150a949585ba3603cce27707331f0

  • SHA1

    9eeb1747902951835245545b7b3b1e6408c708c2

  • SHA256

    260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840

  • SHA512

    668ea267488635b88ef6a929501f8f6b34a02ccb2fa01a311caf89f5c683f0dd6877d8714ddf8b6b24e7a447c40f2cf5c42698638a52ff7b27e6c47ce4f4578b

Score
10/10
qakbottr1633334141bankerevasionstealertrojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1633334141

C2

75.75.179.226:443

185.250.148.74:443

122.11.220.212:2222

120.150.218.241:995

103.148.120.144:443

140.82.49.12:443

40.131.140.155:995

206.47.134.234:2222

73.230.205.91:443

190.198.206.189:2222

103.157.122.198:995

81.250.153.227:2222

167.248.100.227:443

96.57.188.174:2078

217.17.56.163:2222

217.17.56.163:2078

41.228.22.180:443

136.232.34.70:443

68.186.192.69:443

167.248.111.245:443
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:364
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3364
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn xdjevbp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll\"" /SC ONCE /Z /ST 09:07 /ET 09:19
          4⤵
          • Creates scheduled task(s)
          PID:3948
  • \??\c:\windows\system32\regsvr32.exe
    regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Windows\SysWOW64\regsvr32.exe
      -s "C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:608
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:424
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Torjb" /d "0"
          4⤵
            PID:1536
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Gspumtmeynu" /d "0"
            4⤵
              PID:1680
      • \??\c:\windows\system32\regsvr32.exe
        regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Windows\SysWOW64\regsvr32.exe
          -s "C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll"
          2⤵
            PID:2912

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Disabling Security Tools

        1
        T1089

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll
          MD5

          10c150a949585ba3603cce27707331f0

          SHA1

          9eeb1747902951835245545b7b3b1e6408c708c2

          SHA256

          260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840

          SHA512

          668ea267488635b88ef6a929501f8f6b34a02ccb2fa01a311caf89f5c683f0dd6877d8714ddf8b6b24e7a447c40f2cf5c42698638a52ff7b27e6c47ce4f4578b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll
          MD5

          43dbca56d2bbefc7cb8ff907bfe564cc

          SHA1

          64d7f7e75ae4fcd2b9e2618db7039cfb3e458170

          SHA256

          efba34b2ae8a7a45ce8f45fb4d3b617c3719ec53077931422465485d9bf0c427

          SHA512

          e9bc4c1dbeff366c57303aa91526a21f16ae754542f7f12eed85aa047ec58da64e415ba49b6d066492ae9380bcd9e0ad115881adae3bde61b5a4eacc34ce697c

          Download Submit
        • \Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll
          MD5

          10c150a949585ba3603cce27707331f0

          SHA1

          9eeb1747902951835245545b7b3b1e6408c708c2

          SHA256

          260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840

          SHA512

          668ea267488635b88ef6a929501f8f6b34a02ccb2fa01a311caf89f5c683f0dd6877d8714ddf8b6b24e7a447c40f2cf5c42698638a52ff7b27e6c47ce4f4578b

          Download Submit
        • memory/424-137-0x0000000000330000-0x0000000000331000-memory.dmp
          Filesize

          4KB

          Download
        • memory/424-134-0x0000000000000000-mapping.dmp
          Download
        • memory/424-138-0x0000000000330000-0x0000000000331000-memory.dmp
          Filesize

          4KB

          Download
        • memory/424-139-0x0000000000C00000-0x0000000000C21000-memory.dmp
          Filesize

          132KB

          Download
        • memory/608-130-0x0000000072190000-0x0000000072B9C000-memory.dmp
          Filesize

          10.0MB

          Download
        • memory/608-128-0x0000000000000000-mapping.dmp
          Download
        • memory/608-131-0x0000000072190000-0x00000000721B1000-memory.dmp
          Filesize

          132KB

          Download
        • memory/608-132-0x0000000072190000-0x0000000072B9C000-memory.dmp
          Filesize

          10.0MB

          Download
        • memory/608-133-0x0000000003100000-0x000000000324A000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1312-122-0x0000000002F00000-0x0000000002F01000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1312-121-0x0000000073700000-0x000000007410C000-memory.dmp
          Filesize

          10.0MB

          Download
        • memory/1312-120-0x0000000073700000-0x0000000073721000-memory.dmp
          Filesize

          132KB

          Download
        • memory/1312-118-0x0000000000000000-mapping.dmp
          Download
        • memory/1312-119-0x0000000073700000-0x000000007410C000-memory.dmp
          Filesize

          10.0MB

          Download
        • memory/1536-135-0x0000000000000000-mapping.dmp
          Download
        • memory/1680-136-0x0000000000000000-mapping.dmp
          Download
        • memory/2912-141-0x0000000000000000-mapping.dmp
          Download
        • memory/3364-126-0x0000000000720000-0x0000000000741000-memory.dmp
          Filesize

          132KB

          Download
        • memory/3364-125-0x0000000000D10000-0x0000000000D11000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3364-123-0x0000000000000000-mapping.dmp
          Download
        • memory/3948-124-0x0000000000000000-mapping.dmp
          Download