qakbot | c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1

Resubmissions

15-03-2023 18:20

230315-wyy47sef87 10

15-03-2023 18:16

15-03-2023 17:46

15-03-2023 15:52

15-03-2023 10:08

Analysis

max time kernel
116s
max time network
70s
platform
windows10-1703_x64
resource
win10-20230220-de
resource tags

arch:x64arch:x86image:win10-20230220-delocale:de-deos:windows10-1703-x64systemwindows
submitted
15-03-2023 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dll
Size

2.1MB
MD5

adfa9e13af7bff7b9304de834dc620e6
SHA1

1eceee464aefad0708f1e5ddcd0550b25da32fe0
SHA256

c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1
SHA512

c3e459751cd7d36c6fe6934d03144536a3d0f6f85318bf14f798a6ea9d5bee2adf68cb20d2c9ecf861a9bd96b5fd75750fcf283f8fe17a878f19ab7706692c66
SSDEEP

3072:DNoM+4+Kci5Cbw8IsklTVhKAgUbV6RWWuZ:DW0NHmt9klHb4

Score

10^/10

qakbot abc107 1607078484 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

401.62

Botnet

abc107

Campaign

1607078484

32.212.117.188:443

109.205.204.229:2222

72.36.59.46:2222

173.18.126.193:2222

96.225.88.23:443

89.137.211.239:443

110.142.205.182:443

82.76.47.211:443

193.83.25.177:995

67.40.253.209:995

73.244.83.199:443

2.90.186.243:995

189.252.62.238:995

141.237.135.194:443

82.78.70.128:443

185.125.151.172:443

79.117.239.22:2222

86.189.252.131:2222

83.114.243.80:2222

2.50.56.81:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

5024 regsvr32.exe

pid	process
5024	regsvr32.exe

Drops file in Windows directory 35 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\INF\ndisvirtualbus.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\volmgr.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\c_swdevice.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\display.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\hdaudbus.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\acpi.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\basicdisplay.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\vdrvroot.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\spaceport.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\hal.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\pci.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\audioendpoint.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\monitor.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\kdnic.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\compositebus.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\usbport.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\basicrender.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\rdpbus.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\cdrom.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\volume.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\mshdc.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\vhdmp.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\swenum.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\printqueue.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\umbus.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\hdaudio.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\keyboard.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\volsnap.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\msmouse.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\cpu.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\mssmbios.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\netrtl64.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\input.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\machine.PNF	rundll32.exe
File opened for modification	C:\Windows\INF\disk.PNF	rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3348 5024 WerFault.exe regsvr32.exe

pid	pid_target	process	target process
3348	5024	WerFault.exe	regsvr32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	rundll32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4316 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

2592 rundll32.exe
2592 rundll32.exe
2592 rundll32.exe
2592 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

2592 rundll32.exe

pid	process
4316	schtasks.exe

pid	process
2592	rundll32.exe
2592	rundll32.exe
2592	rundll32.exe
2592	rundll32.exe

pid	process
2592	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 2336 wrote to memory of 2592	2336	rundll32.exe	rundll32.exe
PID 2336 wrote to memory of 2592	2336	rundll32.exe	rundll32.exe
PID 2336 wrote to memory of 2592	2336	rundll32.exe	rundll32.exe
PID 2592 wrote to memory of 3996	2592	rundll32.exe	explorer.exe
PID 2592 wrote to memory of 3996	2592	rundll32.exe	explorer.exe
PID 2592 wrote to memory of 3996	2592	rundll32.exe	explorer.exe
PID 2592 wrote to memory of 3996	2592	rundll32.exe	explorer.exe
PID 2592 wrote to memory of 3996	2592	rundll32.exe	explorer.exe
PID 3996 wrote to memory of 4316	3996	explorer.exe	schtasks.exe
PID 3996 wrote to memory of 4316	3996	explorer.exe	schtasks.exe
PID 3996 wrote to memory of 4316	3996	explorer.exe	schtasks.exe
PID 1428 wrote to memory of 5024	1428	regsvr32.exe	regsvr32.exe
PID 1428 wrote to memory of 5024	1428	regsvr32.exe	regsvr32.exe
PID 1428 wrote to memory of 5024	1428	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dll,#1
2⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vzpoelxb /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dll\"" /SC ONCE /Z /ST 18:23 /ET 18:35
4⤵
- Creates scheduled task(s)
PID:4316

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dll"
2⤵
- Loads dropped DLL
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 596
3⤵
- Program crash
PID:3348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dll
Filesize
2.1MB

MD5
001206b3d00447bf8e35c8bf1348b0fe

SHA1
4e84143258b698c9f6e2a39ab74162b6cc81bf3f

SHA256
e5fbbf228db0d4955d893cecc39008438b608ef0ae4977246f5a0431e5d78619

SHA512
c98bdaf23844a01ee4a0edbee632ca88f2d362b32a8f06e7821aa09193d8ac7a7a17af7dc431ff449519539d0f957db196bbf72923d4640c672088a353dfb54d

Download Submit
C:\Windows\INF\audioendpoint.PNF
Filesize
5KB

MD5
ee3b48c5098e33c9a39135a4d46ded2f

SHA1
530ef41e01468d4e52d3835e7a794bb2d89a0976

SHA256
89c30ae017009b5f3cb37045e53e68c6eb378fe6e3e8fa9bcaa0a4c4ca6103ca

SHA512
97a0edbabbf5ec4ba23cdf8cc9e18c54f2a47c631536d6ec109a1c93c1a732f2e030194d065e51e14a2b63ba02e96c76754ffc016f142fec699b60d6ec84331b

Download Submit
C:\Windows\INF\c_swdevice.PNF
Filesize
6KB

MD5
2d3ce0165fe67a0cc7f0bf31929c51c8

SHA1
05ba716ab38db5d6398a1f55af1b3ab60db0fdd3

SHA256
4bc4df8476ff34b14bdc48593508c9ed60b6ea581e38bae8cda8900be3d4958f

SHA512
9bd00ba67020bfa4bc2415feeb48f046849313404d53a41876aed4769e6843adcd4a9b9c18048d4d86b243f40d21f10af340edc7a10ee5330920ba2b1f8058f1

Download Submit
C:\Windows\INF\cpu.PNF
Filesize
19KB

MD5
c9b4337390178d0115c52b33eab56f9f

SHA1
f3893481c4e7b44b4d04fa90c21e148ee562089f

SHA256
bcac253f17681b87cf8ead1092189b79d723d4e52266127689a0358231ee0c30

SHA512
aecfd16d19e2d94ca54811c4a40cfdfd1809ab54b068503112b0cceddbed471826576a2b1372a0ec4baa0c33ed8f906d01574c850acbcc809873d3d2caae1a7b

Download Submit
C:\Windows\INF\machine.PNF
Filesize
152KB

MD5
624a1a353893fb0f121ebc3fb3007c4d

SHA1
336b5cfd5328380559f202aaf0241d6a97ca698d

SHA256
f119104cfbd166668cc0f6c3cd0ff55ace21bc17798b2f5e73cb3f1ad24669b1

SHA512
cd111143cd15abedf7bd34ce1eb8f8810df0f8bfdc3c6f31c695cf8ad1e337a6561cf9209821d21a9b27c0bad44d1f955dc3e6a38d49c6284c46893ace717492

Download Submit
C:\Windows\INF\mshdc.PNF
Filesize
67KB

MD5
193f1bfe81d6823864d5d283146c2a12

SHA1
3d0c4726358842d7bd89588e6d20b8d85efa30eb

SHA256
65e42e929c11b9ae6b6d80f29fc931780f467f827cabe6fccf59dd7ef4e9f077

SHA512
54530c56d3193f818e33bf4dc698022e384da5697146e2abc9d79b07ceb14941284be5a5ec82327350dd30dd14761c4577dec07cb3e8bf771a5741ec785dead4

Download Submit
C:\Windows\INF\msmouse.PNF
Filesize
96KB

MD5
1e12f538ad5892392294a03e34921a6b

SHA1
384a1709d12a841f83c1e1d5a069c3bf25f73567

SHA256
5f6b0265a871554135286bff03dc4374c599bdf7028a506884f881b9ca49d879

SHA512
67d5a56d31551fa7c47b951bdc1cc1282cc8db00d8a171099165cb26d3655e66172d3757baed4c70fd0309800afd6efd57836c02ecf81970d3abc20158087d23

Download Submit
C:\Windows\INF\printqueue.PNF
Filesize
7KB

MD5
4f4f26d4e3dcea866324372db113ba5a

SHA1
00580631d329b449959da2f556539e5953df6cda

SHA256
95249316e2c531502cfacccb856751d6a29787eaa53ad284bc8cc9184d8da489

SHA512
e2176262caba9899eb7d972b548a4c263c311941c388013506e572365d8e9cde12141e04e0772d1b614b61f78c0dbe94d4c6c94be592210f31c68b97cf0b0566

Download Submit
C:\Windows\INF\usbport.PNF
Filesize
146KB

MD5
9901c1e79809e9ff03f2e8821080861a

SHA1
93abc4894166972cebb4a3ace7a11ba40d1b49fd

SHA256
bb78d1dbf245fb02e3c98550bfddf14621a7919a42bd483f52a3b75bdc0df347

SHA512
7e2a9d21fe6c4f035fb37fc50c4f58ba5e497b10944305f7ea5510db1aa4c9c705ed66aa504ac2c0051cde32192861b6ba3bdd7f3ee8d6dfd405cc0824fe1708

Download Submit
C:\Windows\INF\volume.PNF
Filesize
5KB

MD5
b16d16a171cfe99aae4c5c4f64c2c0f5

SHA1
be2193bd620a8725e2aec7ca7062422a2a845e2c

SHA256
98988d7707efa81c4f2264372b74239edd04034c6c0b13e2cd7c7092819a7268

SHA512
0a4bac2fbb10e545cecc9ed2972918b341b7ad9699b3a494dee05af09420eef0a3834493112b7b1524804a30b23e4e79b97f8dfa909562ce061c0e383373468a

Download Submit
\Users\Admin\AppData\Local\Temp\c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dll
Filesize
2.1MB

MD5
001206b3d00447bf8e35c8bf1348b0fe

SHA1
4e84143258b698c9f6e2a39ab74162b6cc81bf3f

SHA256
e5fbbf228db0d4955d893cecc39008438b608ef0ae4977246f5a0431e5d78619

SHA512
c98bdaf23844a01ee4a0edbee632ca88f2d362b32a8f06e7821aa09193d8ac7a7a17af7dc431ff449519539d0f957db196bbf72923d4640c672088a353dfb54d

Download Submit
memory/2592-121-0x0000000000AE0000-0x0000000000CCA000-memory.dmp

Filesize
1.9MB

Download
memory/2592-349-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2592-122-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/3996-352-0x0000000000B40000-0x0000000000B61000-memory.dmp

Filesize
132KB

Download
memory/3996-353-0x0000000000B40000-0x0000000000B61000-memory.dmp

Filesize
132KB

Download
memory/3996-354-0x0000000000B40000-0x0000000000B61000-memory.dmp

Filesize
132KB

Download
memory/3996-356-0x0000000000B40000-0x0000000000B61000-memory.dmp

Filesize
132KB

Download
memory/3996-357-0x0000000000B40000-0x0000000000B61000-memory.dmp

Filesize
132KB

Download