qakbot | 0a4ac14725b88aff8573e7fe775b708cab956fd6c2c6a9c6bf41c76c58c85d5b

General

Target

0a4ac14725b88aff8573e7fe775b708cab956fd6c2c6a9c6bf41c76c58c85d5b.dll
Size

1.3MB
MD5

5db3fd7c47a60dd0dc5c9b9733ef3a28
SHA1

9c6bedc01368ebad082fcab4c5bf32cd6ccd17e7
SHA256

0a4ac14725b88aff8573e7fe775b708cab956fd6c2c6a9c6bf41c76c58c85d5b
SHA512

b1845e18e16954032e34392bbeaef839bd991d7d4106e2467b20cdf01927ca3ed4191762b3d58739c5d901df06d2fe6a6c83abef5a0b63668fcd835bb1a69e99

Score

10^/10

qakbot aa 1653399733 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.690

Botnet

AA

Campaign

1653399733

C2

1.161.104.31:443

47.156.131.10:443

201.172.23.68:2222

187.251.132.144:22

31.215.69.176:443

191.250.188.54:443

93.48.80.198:995

80.11.74.81:2222

38.70.253.226:2222

100.1.108.246:443

5.32.41.45:443

188.161.200.40:995

201.242.206.44:2222

208.107.221.224:443

47.23.89.60:993

75.99.168.194:443

103.246.242.202:443

200.148.9.225:32101

37.210.169.150:2222

79.129.121.68:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1708 schtasks.exe

pid	process
1708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeexplorer.exe

pid	process
336	rundll32.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

336 rundll32.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exe

description	pid	process	target process
PID 752 wrote to memory of 336	752	rundll32.exe	rundll32.exe
PID 752 wrote to memory of 336	752	rundll32.exe	rundll32.exe
PID 752 wrote to memory of 336	752	rundll32.exe	rundll32.exe
PID 752 wrote to memory of 336	752	rundll32.exe	rundll32.exe
PID 752 wrote to memory of 336	752	rundll32.exe	rundll32.exe
PID 752 wrote to memory of 336	752	rundll32.exe	rundll32.exe
PID 752 wrote to memory of 336	752	rundll32.exe	rundll32.exe
PID 336 wrote to memory of 1180	336	rundll32.exe	explorer.exe
PID 336 wrote to memory of 1180	336	rundll32.exe	explorer.exe
PID 336 wrote to memory of 1180	336	rundll32.exe	explorer.exe
PID 336 wrote to memory of 1180	336	rundll32.exe	explorer.exe
PID 336 wrote to memory of 1180	336	rundll32.exe	explorer.exe
PID 336 wrote to memory of 1180	336	rundll32.exe	explorer.exe
PID 1180 wrote to memory of 1708	1180	explorer.exe	schtasks.exe
PID 1180 wrote to memory of 1708	1180	explorer.exe	schtasks.exe
PID 1180 wrote to memory of 1708	1180	explorer.exe	schtasks.exe
PID 1180 wrote to memory of 1708	1180	explorer.exe	schtasks.exe
PID 468 wrote to memory of 1344	468	taskeng.exe	regsvr32.exe
PID 468 wrote to memory of 1344	468	taskeng.exe	regsvr32.exe
PID 468 wrote to memory of 1344	468	taskeng.exe	regsvr32.exe
PID 468 wrote to memory of 1344	468	taskeng.exe	regsvr32.exe
PID 468 wrote to memory of 1344	468	taskeng.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a4ac14725b88aff8573e7fe775b708cab956fd6c2c6a9c6bf41c76c58c85d5b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a4ac14725b88aff8573e7fe775b708cab956fd6c2c6a9c6bf41c76c58c85d5b.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn engdlyulgx /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\0a4ac14725b88aff8573e7fe775b708cab956fd6c2c6a9c6bf41c76c58c85d5b.dll\"" /SC ONCE /Z /ST 10:19 /ET 10:31
4⤵
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\taskeng.exe
taskeng.exe {52AC75C7-0548-4BCD-9517-673FCF7FAC90} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\0a4ac14725b88aff8573e7fe775b708cab956fd6c2c6a9c6bf41c76c58c85d5b.dll"
2⤵
PID:1344

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\0a4ac14725b88aff8573e7fe775b708cab956fd6c2c6a9c6bf41c76c58c85d5b.dll"
3⤵
PID:1828

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0a4ac14725b88aff8573e7fe775b708cab956fd6c2c6a9c6bf41c76c58c85d5b.dll
Filesize
1.3MB

MD5
5db3fd7c47a60dd0dc5c9b9733ef3a28

SHA1
9c6bedc01368ebad082fcab4c5bf32cd6ccd17e7

SHA256
0a4ac14725b88aff8573e7fe775b708cab956fd6c2c6a9c6bf41c76c58c85d5b

SHA512
b1845e18e16954032e34392bbeaef839bd991d7d4106e2467b20cdf01927ca3ed4191762b3d58739c5d901df06d2fe6a6c83abef5a0b63668fcd835bb1a69e99

Download Submit
memory/336-65-0x00000000004C0000-0x00000000004E2000-memory.dmp

Filesize
136KB

Download
memory/336-55-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/336-56-0x0000000000BD0000-0x0000000000D19000-memory.dmp

Filesize
1.3MB

Download
memory/336-57-0x00000000004C0000-0x00000000004E2000-memory.dmp

Filesize
136KB

Download
memory/336-59-0x00000000004C0000-0x00000000004E2000-memory.dmp

Filesize
136KB

Download
memory/336-58-0x00000000004C0000-0x00000000004E2000-memory.dmp

Filesize
136KB

Download
memory/336-60-0x0000000000490000-0x00000000004B2000-memory.dmp

Filesize
136KB

Download
memory/336-61-0x00000000004C0000-0x00000000004E2000-memory.dmp

Filesize
136KB

Download
memory/336-54-0x0000000000000000-mapping.dmp

Download
memory/1180-62-0x0000000000000000-mapping.dmp

Download
memory/1180-66-0x00000000000C0000-0x00000000000E2000-memory.dmp

Filesize
136KB

Download
memory/1180-68-0x00000000000C0000-0x00000000000E2000-memory.dmp

Filesize
136KB

Download
memory/1180-64-0x0000000074061000-0x0000000074063000-memory.dmp

Filesize
8KB

Download
memory/1344-69-0x0000000000000000-mapping.dmp

Download
memory/1344-70-0x000007FEFB541000-0x000007FEFB543000-memory.dmp

Filesize
8KB

Download
memory/1708-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads