qakbot | 236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4

General

Target

236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4.dll
Size

196KB
MD5

1d4952cbe998312fd2bf810535db8a20
SHA1

9667cbfa70ed5f116212be862d8301935c278ceb
SHA256

236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4
SHA512

582ab995fe6b6d1f6bc9ddb95a80c01c776f7d21e7d8e381795172b76ce6500dc2e8847a87cdcc3d35d916d19bdb122e237c75e9425643458d6881a0d24deff2

Score

10^/10

qakbot notset 1635958698 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.1

Botnet

notset

Campaign

1635958698

C2

89.137.52.44:443

94.60.254.81:443

189.146.41.71:443

93.147.212.206:443

71.13.93.154:2222

136.143.11.232:443

100.1.119.41:443

189.223.33.109:443

45.46.53.140:2222

86.97.8.204:443

71.13.93.154:6881

111.250.29.138:443

181.118.183.27:443

71.13.93.154:2083

24.139.72.117:443

24.229.150.54:995

24.55.112.61:443

76.25.142.196:443

72.27.126.188:995

207.246.112.221:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

556 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

3380 regsvr32.exe
3380 regsvr32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

3380 regsvr32.exe

pid	process
556	schtasks.exe

pid	process
3380	regsvr32.exe
3380	regsvr32.exe

pid	process
3380	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2668 wrote to memory of 3380	2668	regsvr32.exe	regsvr32.exe
PID 2668 wrote to memory of 3380	2668	regsvr32.exe	regsvr32.exe
PID 2668 wrote to memory of 3380	2668	regsvr32.exe	regsvr32.exe
PID 3380 wrote to memory of 3988	3380	regsvr32.exe	explorer.exe
PID 3380 wrote to memory of 3988	3380	regsvr32.exe	explorer.exe
PID 3380 wrote to memory of 3988	3380	regsvr32.exe	explorer.exe
PID 3380 wrote to memory of 3988	3380	regsvr32.exe	explorer.exe
PID 3380 wrote to memory of 3988	3380	regsvr32.exe	explorer.exe
PID 3988 wrote to memory of 556	3988	explorer.exe	schtasks.exe
PID 3988 wrote to memory of 556	3988	explorer.exe	schtasks.exe
PID 3988 wrote to memory of 556	3988	explorer.exe	schtasks.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn xcbjfcfe /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4.dll\"" /SC ONCE /Z /ST 23:54 /ET 24:06
4⤵
- Creates scheduled task(s)
PID:556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/556-117-0x0000000000000000-mapping.dmp

Download
memory/3380-115-0x0000000000000000-mapping.dmp

Download
memory/3988-116-0x0000000000000000-mapping.dmp

Download
memory/3988-118-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/3988-119-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/3988-120-0x00000000031A0000-0x00000000031D4000-memory.dmp

Filesize
208KB

Download
memory/3988-121-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads