qakbot | 7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554

General

Target

7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554.dll
Size

2.4MB
MD5

34de339cf6809e622d246731e6cad0b7
SHA1

474a4804f13b858d43596ab2548637be6956d62b
SHA256

7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554
SHA512

13f0afef6864bf8e052b59fed740f200bc857034f9d523b10ecfde979d7e5ce2cc821a79dc73984fba64c92c043464da321a4f15559328967b2fc574a57320db

Score

10^/10

qakbot abc114 1608129413 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

401.138

Botnet

abc114

Campaign

1608129413

C2

86.127.22.190:443

35.139.242.207:443

108.190.194.146:2222

187.213.199.54:443

68.83.89.188:443

41.233.152.232:993

196.151.252.84:443

181.208.249.141:443

172.87.134.226:443

96.27.47.70:2222

83.110.109.78:2222

93.86.1.159:995

217.162.149.212:443

80.11.210.247:443

72.252.201.69:443

185.163.221.77:2222

189.62.175.92:22

95.76.27.6:443

45.77.115.208:443

187.213.82.104:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1896 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1940 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1420 rundll32.exe
1420 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1420 rundll32.exe

pid	process
1896	regsvr32.exe

pid	process
1940	schtasks.exe

pid	process
1420	rundll32.exe
1420	rundll32.exe

pid	process
1420	rundll32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1452 wrote to memory of 1420	1452	rundll32.exe	rundll32.exe
PID 1452 wrote to memory of 1420	1452	rundll32.exe	rundll32.exe
PID 1452 wrote to memory of 1420	1452	rundll32.exe	rundll32.exe
PID 1452 wrote to memory of 1420	1452	rundll32.exe	rundll32.exe
PID 1452 wrote to memory of 1420	1452	rundll32.exe	rundll32.exe
PID 1452 wrote to memory of 1420	1452	rundll32.exe	rundll32.exe
PID 1452 wrote to memory of 1420	1452	rundll32.exe	rundll32.exe
PID 1420 wrote to memory of 944	1420	rundll32.exe	explorer.exe
PID 1420 wrote to memory of 944	1420	rundll32.exe	explorer.exe
PID 1420 wrote to memory of 944	1420	rundll32.exe	explorer.exe
PID 1420 wrote to memory of 944	1420	rundll32.exe	explorer.exe
PID 1420 wrote to memory of 944	1420	rundll32.exe	explorer.exe
PID 1420 wrote to memory of 944	1420	rundll32.exe	explorer.exe
PID 944 wrote to memory of 1940	944	explorer.exe	schtasks.exe
PID 944 wrote to memory of 1940	944	explorer.exe	schtasks.exe
PID 944 wrote to memory of 1940	944	explorer.exe	schtasks.exe
PID 944 wrote to memory of 1940	944	explorer.exe	schtasks.exe
PID 1660 wrote to memory of 468	1660	taskeng.exe	regsvr32.exe
PID 1660 wrote to memory of 468	1660	taskeng.exe	regsvr32.exe
PID 1660 wrote to memory of 468	1660	taskeng.exe	regsvr32.exe
PID 1660 wrote to memory of 468	1660	taskeng.exe	regsvr32.exe
PID 1660 wrote to memory of 468	1660	taskeng.exe	regsvr32.exe
PID 468 wrote to memory of 1896	468	regsvr32.exe	regsvr32.exe
PID 468 wrote to memory of 1896	468	regsvr32.exe	regsvr32.exe
PID 468 wrote to memory of 1896	468	regsvr32.exe	regsvr32.exe
PID 468 wrote to memory of 1896	468	regsvr32.exe	regsvr32.exe
PID 468 wrote to memory of 1896	468	regsvr32.exe	regsvr32.exe
PID 468 wrote to memory of 1896	468	regsvr32.exe	regsvr32.exe
PID 468 wrote to memory of 1896	468	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn eaotnhqio /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554.dll\"" /SC ONCE /Z /ST 22:18 /ET 22:30
4⤵
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\taskeng.exe
taskeng.exe {3824D4D6-76ED-4908-A563-4F55A4E6FF06} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554.dll"
3⤵
- Loads dropped DLL
PID:1896

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554.dll
MD5
f2ab7f178e8f0d31656ecfcd3f0f28b2

SHA1
796abc27f6406fff3e361d7f2942816aa56fa6bc

SHA256
ffa4941fe7e97cb9c55190f305ba8984ec86f083cf7fa0d77d2ae4bb60949e0b

SHA512
00ed05f3c8d03c008df94e76873be426b24524383bca3147c0960b999cf5745721ca12992784a0a80fd13f7a26410463cab2f73c2b79bed8a83b6cb942c2f15c

Download Submit
\Users\Admin\AppData\Local\Temp\7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554.dll
MD5
f2ab7f178e8f0d31656ecfcd3f0f28b2

SHA1
796abc27f6406fff3e361d7f2942816aa56fa6bc

SHA256
ffa4941fe7e97cb9c55190f305ba8984ec86f083cf7fa0d77d2ae4bb60949e0b

SHA512
00ed05f3c8d03c008df94e76873be426b24524383bca3147c0960b999cf5745721ca12992784a0a80fd13f7a26410463cab2f73c2b79bed8a83b6cb942c2f15c

Download Submit
memory/468-65-0x000007FEFC121000-0x000007FEFC123000-memory.dmp

Filesize
8KB

Download
memory/944-59-0x0000000000140000-0x0000000000142000-memory.dmp

Filesize
8KB

Download
memory/944-62-0x0000000074EA1000-0x0000000074EA3000-memory.dmp

Filesize
8KB

Download
memory/944-63-0x00000000008C0000-0x0000000000B41000-memory.dmp

Filesize
2.5MB

Download
memory/944-64-0x0000000000100000-0x0000000000135000-memory.dmp

Filesize
212KB

Download
memory/1420-54-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/1420-55-0x0000000002010000-0x00000000021FA000-memory.dmp

Filesize
1.9MB

Download
memory/1420-56-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/1420-57-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/1420-58-0x0000000010000000-0x0000000010270000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads