qakbot | 62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1

General

Target

62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll
Size

337KB
MD5

1bcb097de905cbe1e9fc9683e1dea036
SHA1

df042b4a2c65a0d761f93baeb8ee4d06fbd33229
SHA256

62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1
SHA512

89f6de104a2dd12040492d8836ac1819a4f857c4e6554848b68d5ca51fe7b2bd5d860403954af45a67cad42bc9909ef94fa9175e20580cfe5c6a8d14d2386b29
SSDEEP

6144:BTfmt7eZAPOyKmLrLqGvHr0nNK11G9DMQyaViFwRun:Bbi7/xZrkNK11G9AQyOi6Q

Score

10^/10

qakbot abc106m 1606921461 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

401.51

Botnet

abc106m

Campaign

1606921461

C2

94.69.242.254:2222

189.140.45.48:995

37.182.244.124:2222

73.136.242.114:443

187.149.126.53:443

189.210.115.207:443

96.27.47.70:2222

185.163.221.77:2222

85.132.36.111:2222

178.87.10.110:443

120.150.218.241:995

68.224.121.148:993

78.101.145.96:61201

47.146.34.236:443

24.95.61.62:443

72.29.181.78:2222

93.113.177.152:443

87.218.53.206:2222

106.51.85.162:443

2.90.33.130:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Triggers on strings of known Qakbot samples, tested on Sandbox https://tria.ge with below listed hash samples 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1120-54-0x0000000010000000-0x0000000010056000-memory.dmp	MAL_QAKBOT_Mar2023
behavioral1/memory/1960-59-0x00000000000C0000-0x00000000000E1000-memory.dmp	MAL_QAKBOT_Mar2023
behavioral1/memory/1960-60-0x00000000000C0000-0x00000000000E1000-memory.dmp	MAL_QAKBOT_Mar2023
behavioral1/memory/1960-62-0x00000000000C0000-0x00000000000E1000-memory.dmp	MAL_QAKBOT_Mar2023
behavioral1/memory/1960-61-0x00000000000C0000-0x00000000000E1000-memory.dmp	MAL_QAKBOT_Mar2023
behavioral1/memory/1960-64-0x00000000000C0000-0x00000000000E1000-memory.dmp	MAL_QAKBOT_Mar2023

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

880 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

680 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1120 rundll32.exe
1120 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1120 rundll32.exe

pid	process
880	regsvr32.exe

pid	process
680	schtasks.exe

pid	process
1120	rundll32.exe
1120	rundll32.exe

pid	process
1120	rundll32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1048 wrote to memory of 1120	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1120	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1120	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1120	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1120	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1120	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1120	1048	rundll32.exe	rundll32.exe
PID 1120 wrote to memory of 1960	1120	rundll32.exe	explorer.exe
PID 1120 wrote to memory of 1960	1120	rundll32.exe	explorer.exe
PID 1120 wrote to memory of 1960	1120	rundll32.exe	explorer.exe
PID 1120 wrote to memory of 1960	1120	rundll32.exe	explorer.exe
PID 1120 wrote to memory of 1960	1120	rundll32.exe	explorer.exe
PID 1120 wrote to memory of 1960	1120	rundll32.exe	explorer.exe
PID 1960 wrote to memory of 680	1960	explorer.exe	schtasks.exe
PID 1960 wrote to memory of 680	1960	explorer.exe	schtasks.exe
PID 1960 wrote to memory of 680	1960	explorer.exe	schtasks.exe
PID 1960 wrote to memory of 680	1960	explorer.exe	schtasks.exe
PID 1436 wrote to memory of 1196	1436	taskeng.exe	regsvr32.exe
PID 1436 wrote to memory of 1196	1436	taskeng.exe	regsvr32.exe
PID 1436 wrote to memory of 1196	1436	taskeng.exe	regsvr32.exe
PID 1436 wrote to memory of 1196	1436	taskeng.exe	regsvr32.exe
PID 1436 wrote to memory of 1196	1436	taskeng.exe	regsvr32.exe
PID 1196 wrote to memory of 880	1196	regsvr32.exe	regsvr32.exe
PID 1196 wrote to memory of 880	1196	regsvr32.exe	regsvr32.exe
PID 1196 wrote to memory of 880	1196	regsvr32.exe	regsvr32.exe
PID 1196 wrote to memory of 880	1196	regsvr32.exe	regsvr32.exe
PID 1196 wrote to memory of 880	1196	regsvr32.exe	regsvr32.exe
PID 1196 wrote to memory of 880	1196	regsvr32.exe	regsvr32.exe
PID 1196 wrote to memory of 880	1196	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jrlxymhqz /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll\"" /SC ONCE /Z /ST 16:20 /ET 16:32
4⤵
- Creates scheduled task(s)
PID:680

C:\Windows\system32\taskeng.exe
taskeng.exe {D8E70485-3D6A-4C04-830B-4975D71095E1} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll"
3⤵
- Loads dropped DLL
PID:880

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll
Filesize
337KB

MD5
4e202f90dee218c94027b88c2ec7c037

SHA1
a0116397e29d28b5cd52e026698da3b2b6bb881f

SHA256
89f9d5e5c806f33e5f1c5c6a1fc8401fb8fd5514f40589c49bd8ee40ad746d98

SHA512
8e140a9b1e8b56a660334d5b622a7e22260c31fee6708457feef1d8e71e39d445926839eaa5941870a2f23ce3add7448e7f733bfa474cd4fe9b219f4e684d19b

Download Submit
\Users\Admin\AppData\Local\Temp\62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll
Filesize
337KB

MD5
4e202f90dee218c94027b88c2ec7c037

SHA1
a0116397e29d28b5cd52e026698da3b2b6bb881f

SHA256
89f9d5e5c806f33e5f1c5c6a1fc8401fb8fd5514f40589c49bd8ee40ad746d98

SHA512
8e140a9b1e8b56a660334d5b622a7e22260c31fee6708457feef1d8e71e39d445926839eaa5941870a2f23ce3add7448e7f733bfa474cd4fe9b219f4e684d19b

Download Submit
memory/1120-54-0x0000000010000000-0x0000000010056000-memory.dmp

Filesize
344KB

Download
memory/1120-55-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download
memory/1960-57-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/1960-59-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1960-60-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1960-62-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1960-61-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1960-64-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads