qakbot | 45f9221e1b71c4d31830a1ded1809bf510facdfc809012d898990205d34b6eb3

General

Target

bfe9c5ad4132e6f317351a8f17450d09.dll
Size

1.0MB
MD5

bfe9c5ad4132e6f317351a8f17450d09
SHA1

209da31664e8cb26e12b15181b85e2e93e404ef7
SHA256

45f9221e1b71c4d31830a1ded1809bf510facdfc809012d898990205d34b6eb3
SHA512

a04f1066962050b46d22347b6ab53409a6f70d316828e95bbdba540b5e829e8bd2fd8094f400905bc7ac44e41abe946fe50de4caddd22bbe7ce01700492209b7
SSDEEP

24576:8+N4Rsx6ZIlcgFagUOqtQ1e78l1T9N36OfMMElHNGlpJMFymEYe/uAg9JXkQKLKT:8lIOgFa41l1T9N36OUMzlpJMFymEYe/y

Score

10^/10

qakbot tr 1633334141 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1633334141

C2

75.75.179.226:443

185.250.148.74:443

122.11.220.212:2222

120.150.218.241:995

103.148.120.144:443

140.82.49.12:443

40.131.140.155:995

206.47.134.234:2222

73.230.205.91:443

190.198.206.189:2222

103.157.122.198:995

81.250.153.227:2222

167.248.100.227:443

96.57.188.174:2078

217.17.56.163:2222

217.17.56.163:2078

41.228.22.180:443

136.232.34.70:443

68.186.192.69:443

167.248.111.245:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid	Process
1860	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
3828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid	Process
944	rundll32.exe
944	rundll32.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid	Process
944	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	Process	procid_target
PID 2920 wrote to memory of 944	2920	rundll32.exe	87
PID 2920 wrote to memory of 944	2920	rundll32.exe	87
PID 2920 wrote to memory of 944	2920	rundll32.exe	87
PID 944 wrote to memory of 688	944	rundll32.exe	93
PID 944 wrote to memory of 688	944	rundll32.exe	93
PID 944 wrote to memory of 688	944	rundll32.exe	93
PID 944 wrote to memory of 688	944	rundll32.exe	93
PID 944 wrote to memory of 688	944	rundll32.exe	93
PID 688 wrote to memory of 3828	688	explorer.exe	94
PID 688 wrote to memory of 3828	688	explorer.exe	94
PID 688 wrote to memory of 3828	688	explorer.exe	94
PID 1944 wrote to memory of 1860	1944	regsvr32.exe	100
PID 1944 wrote to memory of 1860	1944	regsvr32.exe	100
PID 1944 wrote to memory of 1860	1944	regsvr32.exe	100

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bfe9c5ad4132e6f317351a8f17450d09.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bfe9c5ad4132e6f317351a8f17450d09.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ylzmurcn /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\bfe9c5ad4132e6f317351a8f17450d09.dll\"" /SC ONCE /Z /ST 16:47 /ET 16:59
      4⤵
      Creates scheduled task(s)
      PID:3828

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\bfe9c5ad4132e6f317351a8f17450d09.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\bfe9c5ad4132e6f317351a8f17450d09.dll"
  2⤵
  - Loads dropped DLL
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bfe9c5ad4132e6f317351a8f17450d09.dll

Filesize
1007KB

MD5
78a64fddae348e848891812f9569fd32

SHA1
6aa3fa83ba0c782277d9b9f9477ea7b41e7854ac

SHA256
7b58263e3fc8e06fc72e1097fa0326c348cd6ce51579c8dcec4dd8d339bd9ae1

SHA512
9876db61a3fbb5a33195ed525ab8dd6cf7ff2eeeda8e05b406a3974df1b0a90b4022fe8691750123ce9753bbe3b9cabe606a45b51cd640f6065e912714bc4095

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfe9c5ad4132e6f317351a8f17450d09.dll

Filesize
187KB

MD5
b699e31f60abb48719bf2dc001db92b3

SHA1
054030851bb0c68448d3186fc2ced01a9bd3dea3

SHA256
b037c1330f6aff5fc3f91215abde4d77373d070c40e98619c7cc218ea93b8013

SHA512
99c4e80af10b8023fd198fead6fb740c21d55f947336d873f70e157570144f76d3efa1386d04a4c446ee36cf5887e43567cc1b64be4f643e3e836226b52fe2de

Download Submit
memory/688-6-0x0000000001250000-0x0000000001271000-memory.dmp

Filesize
132KB

Download
memory/688-12-0x0000000001250000-0x0000000001271000-memory.dmp

Filesize
132KB

Download
memory/688-11-0x0000000001250000-0x0000000001271000-memory.dmp

Filesize
132KB

Download
memory/688-10-0x0000000001250000-0x0000000001271000-memory.dmp

Filesize
132KB

Download
memory/688-14-0x0000000001250000-0x0000000001271000-memory.dmp

Filesize
132KB

Download
memory/944-0-0x0000000074BA0000-0x00000000755AC000-memory.dmp

Filesize
10.0MB

Download
memory/944-1-0x0000000074BA0000-0x00000000755AC000-memory.dmp

Filesize
10.0MB

Download
memory/944-3-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/944-2-0x0000000074BA0000-0x00000000755AC000-memory.dmp

Filesize
10.0MB

Download
memory/944-5-0x0000000074BA0000-0x00000000755AC000-memory.dmp

Filesize
10.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads