qakbot | 8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8

General

Target

8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8.dll
Size

1.0MB
MD5

6cff5dbdfc5ecc92843d23ead14452ca
SHA1

513c0cfab63ac8b44f7e17bbdeac831674024b46
SHA256

8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8
SHA512

0187ff64f59f8a85097112eb628dfa400233c4b440b7824adf005e198f04f099ce3630e38c9512df46bfc61dbf0a3abc5cf3897d867fdaf0a1d057ab65b6c256

Score

10^/10

qakbot obama189 1655107308 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.688

Botnet

obama189

Campaign

1655107308

C2

91.177.173.10:995

117.248.109.38:21

182.191.92.203:995

39.52.38.164:995

217.165.84.253:993

84.241.8.23:32103

82.152.39.39:443

202.134.152.2:2222

122.118.131.132:995

120.150.218.241:995

222.169.71.98:2222

37.34.253.233:443

93.48.80.198:995

148.0.55.173:443

175.145.235.37:443

41.130.140.32:993

120.61.0.71:443

89.101.97.139:443

62.204.41.187:443

62.204.41.187:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1508 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1704 schtasks.exe

pid	process
1508	regsvr32.exe

pid	process
1704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeexplorer.exeregsvr32.exe

pid	process
1596	rundll32.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1508	regsvr32.exe
1200	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1596 rundll32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1528 wrote to memory of 1596	1528	rundll32.exe	rundll32.exe
PID 1528 wrote to memory of 1596	1528	rundll32.exe	rundll32.exe
PID 1528 wrote to memory of 1596	1528	rundll32.exe	rundll32.exe
PID 1528 wrote to memory of 1596	1528	rundll32.exe	rundll32.exe
PID 1528 wrote to memory of 1596	1528	rundll32.exe	rundll32.exe
PID 1528 wrote to memory of 1596	1528	rundll32.exe	rundll32.exe
PID 1528 wrote to memory of 1596	1528	rundll32.exe	rundll32.exe
PID 1596 wrote to memory of 1200	1596	rundll32.exe	explorer.exe
PID 1596 wrote to memory of 1200	1596	rundll32.exe	explorer.exe
PID 1596 wrote to memory of 1200	1596	rundll32.exe	explorer.exe
PID 1596 wrote to memory of 1200	1596	rundll32.exe	explorer.exe
PID 1596 wrote to memory of 1200	1596	rundll32.exe	explorer.exe
PID 1596 wrote to memory of 1200	1596	rundll32.exe	explorer.exe
PID 1200 wrote to memory of 1704	1200	explorer.exe	schtasks.exe
PID 1200 wrote to memory of 1704	1200	explorer.exe	schtasks.exe
PID 1200 wrote to memory of 1704	1200	explorer.exe	schtasks.exe
PID 1200 wrote to memory of 1704	1200	explorer.exe	schtasks.exe
PID 1052 wrote to memory of 1172	1052	taskeng.exe	regsvr32.exe
PID 1052 wrote to memory of 1172	1052	taskeng.exe	regsvr32.exe
PID 1052 wrote to memory of 1172	1052	taskeng.exe	regsvr32.exe
PID 1052 wrote to memory of 1172	1052	taskeng.exe	regsvr32.exe
PID 1052 wrote to memory of 1172	1052	taskeng.exe	regsvr32.exe
PID 1172 wrote to memory of 1508	1172	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 1508	1172	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 1508	1172	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 1508	1172	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 1508	1172	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 1508	1172	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 1508	1172	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn kacomdh /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8.dll\"" /SC ONCE /Z /ST 17:02 /ET 17:14
4⤵
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\taskeng.exe
taskeng.exe {41CB11BC-0901-490C-9992-745570BC09FB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1508

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8.dll
Filesize
1.0MB

MD5
6cff5dbdfc5ecc92843d23ead14452ca

SHA1
513c0cfab63ac8b44f7e17bbdeac831674024b46

SHA256
8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8

SHA512
0187ff64f59f8a85097112eb628dfa400233c4b440b7824adf005e198f04f099ce3630e38c9512df46bfc61dbf0a3abc5cf3897d867fdaf0a1d057ab65b6c256

Download Submit
\Users\Admin\AppData\Local\Temp\8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8.dll
Filesize
1.0MB

MD5
6cff5dbdfc5ecc92843d23ead14452ca

SHA1
513c0cfab63ac8b44f7e17bbdeac831674024b46

SHA256
8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8

SHA512
0187ff64f59f8a85097112eb628dfa400233c4b440b7824adf005e198f04f099ce3630e38c9512df46bfc61dbf0a3abc5cf3897d867fdaf0a1d057ab65b6c256

Download Submit
memory/1172-69-0x0000000000000000-mapping.dmp

Download
memory/1172-70-0x000007FEFC3E1000-0x000007FEFC3E3000-memory.dmp

Filesize
8KB

Download
memory/1200-62-0x0000000000000000-mapping.dmp

Download
memory/1200-68-0x0000000000310000-0x0000000000332000-memory.dmp

Filesize
136KB

Download
memory/1200-66-0x0000000000310000-0x0000000000332000-memory.dmp

Filesize
136KB

Download
memory/1200-64-0x0000000074EF1000-0x0000000074EF3000-memory.dmp

Filesize
8KB

Download
memory/1508-77-0x00000000003A0000-0x00000000003C2000-memory.dmp

Filesize
136KB

Download
memory/1508-75-0x0000000000AA0000-0x0000000000BAC000-memory.dmp

Filesize
1.0MB

Download
memory/1508-72-0x0000000000000000-mapping.dmp

Download
memory/1508-76-0x00000000003A0000-0x00000000003C2000-memory.dmp

Filesize
136KB

Download
memory/1508-78-0x00000000003A0000-0x00000000003C2000-memory.dmp

Filesize
136KB

Download
memory/1508-79-0x0000000000230000-0x0000000000262000-memory.dmp

Filesize
200KB

Download
memory/1508-80-0x00000000003A0000-0x00000000003C2000-memory.dmp

Filesize
136KB

Download
memory/1596-60-0x0000000000300000-0x0000000000332000-memory.dmp

Filesize
200KB

Download
memory/1596-65-0x0000000000350000-0x0000000000372000-memory.dmp

Filesize
136KB

Download
memory/1596-61-0x0000000000350000-0x0000000000372000-memory.dmp

Filesize
136KB

Download
memory/1596-54-0x0000000000000000-mapping.dmp

Download
memory/1596-59-0x0000000000350000-0x0000000000372000-memory.dmp

Filesize
136KB

Download
memory/1596-58-0x0000000000350000-0x0000000000372000-memory.dmp

Filesize
136KB

Download
memory/1596-57-0x0000000000350000-0x0000000000372000-memory.dmp

Filesize
136KB

Download
memory/1596-56-0x0000000000950000-0x0000000000A5C000-memory.dmp

Filesize
1.0MB

Download
memory/1596-55-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1704-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads