qakbot | c6077ec7a088259558bc77dd0f0681a1c020d4feaa52a15bf056e5d1351b2b19

General

Target

c6077ec7a088259558bc77dd0f0681a1c020d4feaa52a15bf056e5d1351b2b19.dll
Size

126KB
MD5

3ff9d9dbf8c7a6865faeb43188afa6b4
SHA1

ba88ec57e854982e1bb7dbe4239b41c4b2b8c6a4
SHA256

c6077ec7a088259558bc77dd0f0681a1c020d4feaa52a15bf056e5d1351b2b19
SHA512

53e12acbfb932e606e30b7c174729c88c98cf0a63e9ac0b03776098a2087f5f7397baf4edacfd29802c77b57132a9a959c5f1d4fd41862e326e709bdfe39a6ed
SSDEEP

3072:FV9GWm/WPuPuZji5rPSASJDgfMBTBfQIoMh:fm/WGPuZj83SJEfMBTBoIv

Score

10^/10

qakbot azd 1661969003 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.780

Botnet

azd

Campaign

1661969003

C2

72.252.157.93:990

72.252.157.93:995

187.172.230.151:443

46.107.48.202:443

70.46.220.114:443

173.189.167.21:995

93.48.80.198:995

99.232.140.205:2222

89.211.179.14:2222

37.210.148.30:995

182.191.92.203:995

41.228.22.180:443

70.51.153.182:2222

47.180.172.159:443

47.23.89.61:993

173.21.10.71:2222

208.107.221.224:443

76.25.142.196:443

63.143.92.99:995

24.158.23.166:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1468 schtasks.exe

pid	process
1468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exeexplorer.exe

pid	process
1184	regsvr32.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

1184 regsvr32.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1028 wrote to memory of 1184	1028	regsvr32.exe	regsvr32.exe
PID 1028 wrote to memory of 1184	1028	regsvr32.exe	regsvr32.exe
PID 1028 wrote to memory of 1184	1028	regsvr32.exe	regsvr32.exe
PID 1028 wrote to memory of 1184	1028	regsvr32.exe	regsvr32.exe
PID 1028 wrote to memory of 1184	1028	regsvr32.exe	regsvr32.exe
PID 1028 wrote to memory of 1184	1028	regsvr32.exe	regsvr32.exe
PID 1028 wrote to memory of 1184	1028	regsvr32.exe	regsvr32.exe
PID 1184 wrote to memory of 1036	1184	regsvr32.exe	explorer.exe
PID 1184 wrote to memory of 1036	1184	regsvr32.exe	explorer.exe
PID 1184 wrote to memory of 1036	1184	regsvr32.exe	explorer.exe
PID 1184 wrote to memory of 1036	1184	regsvr32.exe	explorer.exe
PID 1184 wrote to memory of 1036	1184	regsvr32.exe	explorer.exe
PID 1184 wrote to memory of 1036	1184	regsvr32.exe	explorer.exe
PID 1036 wrote to memory of 1468	1036	explorer.exe	schtasks.exe
PID 1036 wrote to memory of 1468	1036	explorer.exe	schtasks.exe
PID 1036 wrote to memory of 1468	1036	explorer.exe	schtasks.exe
PID 1036 wrote to memory of 1468	1036	explorer.exe	schtasks.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c6077ec7a088259558bc77dd0f0681a1c020d4feaa52a15bf056e5d1351b2b19.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\c6077ec7a088259558bc77dd0f0681a1c020d4feaa52a15bf056e5d1351b2b19.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 16:36 /tn anwwjukveu /ET 16:47 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwA2ADAANwA3AGUAYwA3AGEAMAA4ADgAMgA1ADkANQA1ADgAYgBjADcANwBkAGQAMABmADAANgA4ADEAYQAxAGMAMAAyADAAZAA0AGYAZQBhAGEANQAyAGEAMQA1AGIAZgAwADUANgBlADUAZAAxADMANQAxAGIAMgBiADEAOQAuAGQAbABsACIA" /SC ONCE
4⤵
- Creates scheduled task(s)
PID:1468

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1028-54-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp

Filesize
8KB

Download
memory/1036-57-0x0000000000000000-mapping.dmp

Download
memory/1036-59-0x0000000074E91000-0x0000000074E93000-memory.dmp

Filesize
8KB

Download
memory/1036-60-0x00000000000D0000-0x00000000000F2000-memory.dmp

Filesize
136KB

Download
memory/1036-62-0x00000000000D0000-0x00000000000F2000-memory.dmp

Filesize
136KB

Download
memory/1184-55-0x0000000000000000-mapping.dmp

Download
memory/1184-56-0x0000000076CE1000-0x0000000076CE3000-memory.dmp

Filesize
8KB

Download
memory/1468-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads