qakbot | 62d47e3ab5b21a156a4dd3a541d1b2d25fb78f4409f686750fcc7fb56d16a152

General

Target

62d47e3ab5b21a156a4dd3a541d1b2d25fb78f4409f686750fcc7fb56d16a152.dll
Size

337KB
MD5

0224cade7ce38c717489fb3d36ff9388
SHA1

c531204c91dab26b69eb1b69dc8ee3aabfbdaf2b
SHA256

62d47e3ab5b21a156a4dd3a541d1b2d25fb78f4409f686750fcc7fb56d16a152
SHA512

64375e66675b58f90b53565b97effe9bd4f9a4581bc77ed700e70454a97f1983655f4836708332a7c4e265ba2055a5e659709b10a7d927447a8d56600157863b

Score

10^/10

qakbot abc106m 1606921461 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

401.51

Botnet

abc106m

Campaign

1606921461

C2

94.69.242.254:2222

189.140.45.48:995

37.182.244.124:2222

73.136.242.114:443

187.149.126.53:443

189.210.115.207:443

96.27.47.70:2222

185.163.221.77:2222

85.132.36.111:2222

178.87.10.110:443

120.150.218.241:995

68.224.121.148:993

78.101.145.96:61201

47.146.34.236:443

24.95.61.62:443

72.29.181.78:2222

93.113.177.152:443

87.218.53.206:2222

106.51.85.162:443

2.90.33.130:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3456 regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3948 3456 WerFault.exe regsvr32.exe

pid	process
3456	regsvr32.exe

pid	pid_target	process	target process
3948	3456	WerFault.exe	regsvr32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	rundll32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3524 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

3784 rundll32.exe
3784 rundll32.exe
3784 rundll32.exe
3784 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

3784 rundll32.exe

pid	process
3524	schtasks.exe

pid	process
3784	rundll32.exe
3784	rundll32.exe
3784	rundll32.exe
3784	rundll32.exe

pid	process
3784	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 3204 wrote to memory of 3784	3204	rundll32.exe	rundll32.exe
PID 3204 wrote to memory of 3784	3204	rundll32.exe	rundll32.exe
PID 3204 wrote to memory of 3784	3204	rundll32.exe	rundll32.exe
PID 3784 wrote to memory of 3296	3784	rundll32.exe	explorer.exe
PID 3784 wrote to memory of 3296	3784	rundll32.exe	explorer.exe
PID 3784 wrote to memory of 3296	3784	rundll32.exe	explorer.exe
PID 3784 wrote to memory of 3296	3784	rundll32.exe	explorer.exe
PID 3784 wrote to memory of 3296	3784	rundll32.exe	explorer.exe
PID 3296 wrote to memory of 3524	3296	explorer.exe	schtasks.exe
PID 3296 wrote to memory of 3524	3296	explorer.exe	schtasks.exe
PID 3296 wrote to memory of 3524	3296	explorer.exe	schtasks.exe
PID 3116 wrote to memory of 3456	3116	regsvr32.exe	regsvr32.exe
PID 3116 wrote to memory of 3456	3116	regsvr32.exe	regsvr32.exe
PID 3116 wrote to memory of 3456	3116	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\62d47e3ab5b21a156a4dd3a541d1b2d25fb78f4409f686750fcc7fb56d16a152.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\62d47e3ab5b21a156a4dd3a541d1b2d25fb78f4409f686750fcc7fb56d16a152.dll,#1
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn drtxnfry /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\62d47e3ab5b21a156a4dd3a541d1b2d25fb78f4409f686750fcc7fb56d16a152.dll\"" /SC ONCE /Z /ST 16:42 /ET 16:54
4⤵
- Creates scheduled task(s)
PID:3524

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\62d47e3ab5b21a156a4dd3a541d1b2d25fb78f4409f686750fcc7fb56d16a152.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\62d47e3ab5b21a156a4dd3a541d1b2d25fb78f4409f686750fcc7fb56d16a152.dll"
2⤵
- Loads dropped DLL
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 584
3⤵
- Program crash
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3456 -ip 3456
1⤵
PID:792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\62d47e3ab5b21a156a4dd3a541d1b2d25fb78f4409f686750fcc7fb56d16a152.dll
MD5
4e202f90dee218c94027b88c2ec7c037

SHA1
a0116397e29d28b5cd52e026698da3b2b6bb881f

SHA256
89f9d5e5c806f33e5f1c5c6a1fc8401fb8fd5514f40589c49bd8ee40ad746d98

SHA512
8e140a9b1e8b56a660334d5b622a7e22260c31fee6708457feef1d8e71e39d445926839eaa5941870a2f23ce3add7448e7f733bfa474cd4fe9b219f4e684d19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\62d47e3ab5b21a156a4dd3a541d1b2d25fb78f4409f686750fcc7fb56d16a152.dll
MD5
4e202f90dee218c94027b88c2ec7c037

SHA1
a0116397e29d28b5cd52e026698da3b2b6bb881f

SHA256
89f9d5e5c806f33e5f1c5c6a1fc8401fb8fd5514f40589c49bd8ee40ad746d98

SHA512
8e140a9b1e8b56a660334d5b622a7e22260c31fee6708457feef1d8e71e39d445926839eaa5941870a2f23ce3add7448e7f733bfa474cd4fe9b219f4e684d19b

Download Submit
memory/3296-134-0x00000000009D0000-0x0000000000E03000-memory.dmp

Filesize
4.2MB

Download
memory/3296-135-0x0000000000860000-0x0000000000881000-memory.dmp

Filesize
132KB

Download
memory/3784-130-0x0000000004330000-0x0000000004370000-memory.dmp

Filesize
256KB

Download
memory/3784-131-0x0000000010000000-0x0000000010056000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads