qakbot | 51568a69c9d36ac7b322b73429e61fb11e89349088a0fc0c0245f810c8815a67

General

Target

019338921.dll
Size

1.4MB
MD5

d715d0ba5bf6142888b13c40b431a8c8
SHA1

5b44fc16e2e8c3a09ac7b8308358dfb676e2a059
SHA256

51568a69c9d36ac7b322b73429e61fb11e89349088a0fc0c0245f810c8815a67
SHA512

5beceb359e954db9b7e9dcdb80e9e8c782f749f9cbf697a28c9fe60b30f517de2f985d87d28b49e2bc08828bc770743d41f00fa784b08b098be35b7e5ccf3a37

Score

10^/10

qakbot obama186 1654596660 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.694

Botnet

obama186

Campaign

1654596660

C2

67.165.206.193:993

63.143.92.99:995

74.14.5.179:2222

182.191.92.203:995

197.89.8.51:443

89.101.97.139:443

86.97.9.190:443

124.40.244.115:2222

80.11.74.81:2222

41.215.153.104:995

179.100.20.32:32101

31.35.28.29:443

202.134.152.2:2222

109.12.111.14:443

93.48.80.198:995

120.150.218.241:995

41.38.167.179:995

177.94.57.126:32101

173.174.216.62:443

1.161.101.20:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1440 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

836 schtasks.exe

pid	process
1440	regsvr32.exe

pid	process
836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeexplorer.exeregsvr32.exe

pid	process
1656	rundll32.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1440	regsvr32.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1656 rundll32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 2016 wrote to memory of 1656	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1656	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1656	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1656	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1656	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1656	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1656	2016	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 1356	1656	rundll32.exe	explorer.exe
PID 1656 wrote to memory of 1356	1656	rundll32.exe	explorer.exe
PID 1656 wrote to memory of 1356	1656	rundll32.exe	explorer.exe
PID 1656 wrote to memory of 1356	1656	rundll32.exe	explorer.exe
PID 1656 wrote to memory of 1356	1656	rundll32.exe	explorer.exe
PID 1656 wrote to memory of 1356	1656	rundll32.exe	explorer.exe
PID 1356 wrote to memory of 836	1356	explorer.exe	schtasks.exe
PID 1356 wrote to memory of 836	1356	explorer.exe	schtasks.exe
PID 1356 wrote to memory of 836	1356	explorer.exe	schtasks.exe
PID 1356 wrote to memory of 836	1356	explorer.exe	schtasks.exe
PID 1584 wrote to memory of 1316	1584	taskeng.exe	regsvr32.exe
PID 1584 wrote to memory of 1316	1584	taskeng.exe	regsvr32.exe
PID 1584 wrote to memory of 1316	1584	taskeng.exe	regsvr32.exe
PID 1584 wrote to memory of 1316	1584	taskeng.exe	regsvr32.exe
PID 1584 wrote to memory of 1316	1584	taskeng.exe	regsvr32.exe
PID 1316 wrote to memory of 1440	1316	regsvr32.exe	regsvr32.exe
PID 1316 wrote to memory of 1440	1316	regsvr32.exe	regsvr32.exe
PID 1316 wrote to memory of 1440	1316	regsvr32.exe	regsvr32.exe
PID 1316 wrote to memory of 1440	1316	regsvr32.exe	regsvr32.exe
PID 1316 wrote to memory of 1440	1316	regsvr32.exe	regsvr32.exe
PID 1316 wrote to memory of 1440	1316	regsvr32.exe	regsvr32.exe
PID 1316 wrote to memory of 1440	1316	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\019338921.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\019338921.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vdzimgcym /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\019338921.dll\"" /SC ONCE /Z /ST 11:25 /ET 11:37
4⤵
- Creates scheduled task(s)
PID:836

C:\Windows\system32\taskeng.exe
taskeng.exe {9B371548-F8F2-450A-A9F5-8B9707C32BCD} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\019338921.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\019338921.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1440

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\019338921.dll
Filesize
1.4MB

MD5
d715d0ba5bf6142888b13c40b431a8c8

SHA1
5b44fc16e2e8c3a09ac7b8308358dfb676e2a059

SHA256
51568a69c9d36ac7b322b73429e61fb11e89349088a0fc0c0245f810c8815a67

SHA512
5beceb359e954db9b7e9dcdb80e9e8c782f749f9cbf697a28c9fe60b30f517de2f985d87d28b49e2bc08828bc770743d41f00fa784b08b098be35b7e5ccf3a37

Download Submit
\Users\Admin\AppData\Local\Temp\019338921.dll
Filesize
1.4MB

MD5
d715d0ba5bf6142888b13c40b431a8c8

SHA1
5b44fc16e2e8c3a09ac7b8308358dfb676e2a059

SHA256
51568a69c9d36ac7b322b73429e61fb11e89349088a0fc0c0245f810c8815a67

SHA512
5beceb359e954db9b7e9dcdb80e9e8c782f749f9cbf697a28c9fe60b30f517de2f985d87d28b49e2bc08828bc770743d41f00fa784b08b098be35b7e5ccf3a37

Download Submit
memory/836-67-0x0000000000000000-mapping.dmp

Download
memory/1316-70-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

Filesize
8KB

Download
memory/1316-69-0x0000000000000000-mapping.dmp

Download
memory/1356-64-0x00000000747D1000-0x00000000747D3000-memory.dmp

Filesize
8KB

Download
memory/1356-68-0x00000000000E0000-0x0000000000102000-memory.dmp

Filesize
136KB

Download
memory/1356-66-0x00000000000E0000-0x0000000000102000-memory.dmp

Filesize
136KB

Download
memory/1356-62-0x0000000000000000-mapping.dmp

Download
memory/1440-80-0x0000000000330000-0x0000000000352000-memory.dmp

Filesize
136KB

Download
memory/1440-72-0x0000000000000000-mapping.dmp

Download
memory/1440-79-0x00000000001E0000-0x000000000020D000-memory.dmp

Filesize
180KB

Download
memory/1440-77-0x0000000000330000-0x0000000000352000-memory.dmp

Filesize
136KB

Download
memory/1440-78-0x0000000000330000-0x0000000000352000-memory.dmp

Filesize
136KB

Download
memory/1440-76-0x0000000000330000-0x0000000000352000-memory.dmp

Filesize
136KB

Download
memory/1440-75-0x0000000000BF0000-0x0000000000D55000-memory.dmp

Filesize
1.4MB

Download
memory/1656-57-0x00000000003F0000-0x0000000000412000-memory.dmp

Filesize
136KB

Download
memory/1656-56-0x0000000000A80000-0x0000000000BE5000-memory.dmp

Filesize
1.4MB

Download
memory/1656-55-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/1656-59-0x00000000003F0000-0x0000000000412000-memory.dmp

Filesize
136KB

Download
memory/1656-60-0x0000000000230000-0x000000000025D000-memory.dmp

Filesize
180KB

Download
memory/1656-65-0x00000000003F0000-0x0000000000412000-memory.dmp

Filesize
136KB

Download
memory/1656-58-0x00000000003F0000-0x0000000000412000-memory.dmp

Filesize
136KB

Download
memory/1656-61-0x00000000003F0000-0x0000000000412000-memory.dmp

Filesize
136KB

Download
memory/1656-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads