qakbot | 863c95381f044af0f3c8a012cb8de00f0ef51e078602a880e1945e76fc869c4a

Analysis

max time kernel
4294198s
max time network
127s
platform
windows7_x64
resource
win7-20220311-en
submitted
14-03-2022 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

587547a79fd6f8c7fb625a43b3d7f6dd24505ab86d404dd5b54d62038d9479fd.dll
Size

116KB
MD5

6b29917e13d410c32654375ce7879eef
SHA1

e1ad14d5e61301d3b0642655d7ca7cdfa5cff6d3
SHA256

587547a79fd6f8c7fb625a43b3d7f6dd24505ab86d404dd5b54d62038d9479fd
SHA512

67f8e140a9e990960a8570d898e0b9251fcb4e237616d2cd311d1848c8cc1a30c22bb93cda5765e2b36b98651ea3bb0369232935eaf168510aa48e88fa7d5135

Score

10^/10

qakbot abc108m 1607356318 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

401.62

Botnet

abc108m

Campaign

1607356318

92.59.35.196:2083

2.89.122.180:995

78.181.19.134:443

5.193.175.76:2078

24.139.72.117:443

62.38.114.12:2222

2.51.240.250:995

174.62.13.151:443

189.210.115.207:443

71.197.126.250:443

187.7.236.197:995

187.149.126.53:443

96.247.180.108:443

174.55.197.4:443

187.190.250.175:443

24.206.4.203:2222

72.36.11.22:443

197.135.240.243:443

216.137.142.200:2222

160.3.184.253:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

952 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1392 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1548 regsvr32.exe
1548 regsvr32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

1548 regsvr32.exe

pid	process
952	regsvr32.exe

pid	process
1392	schtasks.exe

pid	process
1548	regsvr32.exe
1548	regsvr32.exe

pid	process
1548	regsvr32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 808 wrote to memory of 1548	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 1548	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 1548	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 1548	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 1548	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 1548	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 1548	808	regsvr32.exe	regsvr32.exe
PID 1548 wrote to memory of 1096	1548	regsvr32.exe	explorer.exe
PID 1548 wrote to memory of 1096	1548	regsvr32.exe	explorer.exe
PID 1548 wrote to memory of 1096	1548	regsvr32.exe	explorer.exe
PID 1548 wrote to memory of 1096	1548	regsvr32.exe	explorer.exe
PID 1548 wrote to memory of 1096	1548	regsvr32.exe	explorer.exe
PID 1548 wrote to memory of 1096	1548	regsvr32.exe	explorer.exe
PID 1096 wrote to memory of 1392	1096	explorer.exe	schtasks.exe
PID 1096 wrote to memory of 1392	1096	explorer.exe	schtasks.exe
PID 1096 wrote to memory of 1392	1096	explorer.exe	schtasks.exe
PID 1096 wrote to memory of 1392	1096	explorer.exe	schtasks.exe
PID 1420 wrote to memory of 1804	1420	taskeng.exe	regsvr32.exe
PID 1420 wrote to memory of 1804	1420	taskeng.exe	regsvr32.exe
PID 1420 wrote to memory of 1804	1420	taskeng.exe	regsvr32.exe
PID 1420 wrote to memory of 1804	1420	taskeng.exe	regsvr32.exe
PID 1420 wrote to memory of 1804	1420	taskeng.exe	regsvr32.exe
PID 1804 wrote to memory of 952	1804	regsvr32.exe	regsvr32.exe
PID 1804 wrote to memory of 952	1804	regsvr32.exe	regsvr32.exe
PID 1804 wrote to memory of 952	1804	regsvr32.exe	regsvr32.exe
PID 1804 wrote to memory of 952	1804	regsvr32.exe	regsvr32.exe
PID 1804 wrote to memory of 952	1804	regsvr32.exe	regsvr32.exe
PID 1804 wrote to memory of 952	1804	regsvr32.exe	regsvr32.exe
PID 1804 wrote to memory of 952	1804	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\587547a79fd6f8c7fb625a43b3d7f6dd24505ab86d404dd5b54d62038d9479fd.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\587547a79fd6f8c7fb625a43b3d7f6dd24505ab86d404dd5b54d62038d9479fd.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn lwuifbd /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\587547a79fd6f8c7fb625a43b3d7f6dd24505ab86d404dd5b54d62038d9479fd.dll\"" /SC ONCE /Z /ST 11:24 /ET 11:36
4⤵
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\taskeng.exe
taskeng.exe {254DE267-1BB0-41D1-A066-B625D6BF4F78} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\587547a79fd6f8c7fb625a43b3d7f6dd24505ab86d404dd5b54d62038d9479fd.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\587547a79fd6f8c7fb625a43b3d7f6dd24505ab86d404dd5b54d62038d9479fd.dll"
3⤵
- Loads dropped DLL
PID:952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\587547a79fd6f8c7fb625a43b3d7f6dd24505ab86d404dd5b54d62038d9479fd.dll
MD5
6e346cbd327547faf7fb935e5864bc2d

SHA1
58759fdc4e58638e8370697ede6bff1536749102

SHA256
576378caec6eb5b01206a768dcb34ef01b08f02e6f00445e4e9b1e8be20e5f51

SHA512
6c4df823376b5ef9b054b155b4134a13bcf64ddc7508d13d18819eb67c188151f6aa54eb90a4aee7c99abb76e91af0b9e28046cb9929d8e7ce5179fe3c99945b

Download Submit
\Users\Admin\AppData\Local\Temp\587547a79fd6f8c7fb625a43b3d7f6dd24505ab86d404dd5b54d62038d9479fd.dll
MD5
6e346cbd327547faf7fb935e5864bc2d

SHA1
58759fdc4e58638e8370697ede6bff1536749102

SHA256
576378caec6eb5b01206a768dcb34ef01b08f02e6f00445e4e9b1e8be20e5f51

SHA512
6c4df823376b5ef9b054b155b4134a13bcf64ddc7508d13d18819eb67c188151f6aa54eb90a4aee7c99abb76e91af0b9e28046cb9929d8e7ce5179fe3c99945b

Download Submit
memory/808-54-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp

Filesize
8KB

Download
memory/1096-56-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/1096-59-0x00000000746D1000-0x00000000746D3000-memory.dmp

Filesize
8KB

Download
memory/1096-60-0x00000000007E0000-0x0000000000A61000-memory.dmp

Filesize
2.5MB

Download
memory/1096-61-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1548-55-0x00000000755A1000-0x00000000755A3000-memory.dmp

Filesize
8KB

Download